[Federal Register Volume 91, Number 118 (Monday, June 22, 2026)]
[Proposed Rules]
[Pages 37234-37272]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2026-12460]
[[Page 37233]]
Vol. 91
Monday,
No. 118
June 22, 2026
Part II
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Part 1033
Permitted Payment Stablecoin Issuer Customer Identification Program;
Proposed Rule
��Federal Register / Vol. 91 , No. 118 / Monday, June 22, 2026 /
Proposed Rules��
[[Page 37234]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Part 1033
RIN 1506-AB74
Permitted Payment Stablecoin Issuer Customer Identification
Program
AGENCY: Financial Crimes Enforcement Network and Office of the
Comptroller of the Currency, Treasury; Board of Governors of the
Federal Reserve System; Federal Deposit Insurance Corporation; National
Credit Union Administration.
ACTION: Joint proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Financial Crimes Enforcement Network (FinCEN), together
with the Office of the Comptroller of the Currency (OCC), the Board of
Governors of the Federal Reserve System (Board), the Federal Deposit
Insurance Corporation (FDIC), and the National Credit Union
Administration (NCUA) are jointly issuing this proposed rule to
implement certain provisions of the Guiding and Establishing National
and Innovation for U.S. Stablecoins Act (GENIUS Act). Specifically,
this rulemaking implements the GENIUS Act's directives to treat
permitted payment stablecoin issuers as financial institutions under
the Bank Secrecy Act and to require issuers to maintain an effective
customer identification program.
DATES: Comments must be received by August 21, 2026.
ADDRESSES: Comments should be directed to:
FinCEN: Comments must be submitted in one of the following two ways
(please choose only one of the ways listed):
Electronically at https://www.regulations.gov. Follow the
``Submit a comment'' instructions under Docket FINCEN-2026-0101. If you
are reading this document on federalregister.gov, you may use the green
``SUBMIT A PUBLIC COMMENT'' button beneath this rulemaking's title to
submit a comment to the regulations.gov docket.
You may mail written comments to the following address:
Regulatory and Strategic Affairs Division, Financial Crimes Enforcement
Network, P.O. Box 39, Vienna, VA 22183. Mailed comments must be
received by the close of the comment period.
Do not include any personally identifiable information (such as
name, address, or other contact information) or confidential business
information that you do not want publicly disclosed. All comments are
public records; they are publicly displayed exactly as received, and
will not be deleted, modified, or redacted. Comments may be submitted
anonymously.
Follow the search instructions on https://www.regulations.gov to
view public comments.
OCC: Commenters are encouraged to submit comments through the
Federal eRulemaking Portal. Please use the title ``Permitted Payment
Stablecoin Issuer Customer Identification Program'' and ``RIN 1557-
AF53'' to facilitate the organization and distribution of the comments.
You may submit comments by any of the following methods:
Federal eRulemaking Portal--Regulations.gov: Go to https://regulations.gov. Enter Docket ID OCC-2026-0331 in the Search Box and
click ``Search.'' Public comments can be submitted via the ``Comment''
box below the displayed document information or by clicking on the
document title and then clicking the ``Comment'' box on the top-left
side of the screen. For help with submitting effective comments please
click on ``Commenter's Checklist.'' For assistance with the
regulations.gov site, please call 1-866-498-2945 (toll free) Monday-
Friday, 9 a.m.-5 p.m. ET, or email [email protected].
Mail: Chief Counsel's Office, Attention: Comment
Processing, Office of the Comptroller of the Currency, 400 7th Street
SW, Suite 1E-216, Washington, DC 20219.
Hand Delivery/Courier: 400 7th Street SW, Suite 1E-216,
Washington, DC 20219.
Instructions: You must include ``OCC'' as the agency name and
Docket ID OCC-2026-0331 in your comment. In general, the OCC will enter
all comments received into the docket and publish the comments on the
regulations.gov website without change, including any business or
personal information provided such as name and address information,
email addresses, or phone numbers. Comments received, including
attachments and other supporting materials, are part of the public
record and subject to public disclosure. Do not include any information
in your comment or supporting materials that you consider confidential
or inappropriate for public disclosure.
You may review comments and other related materials that pertain to
this action by the following method:
Viewing Comments Electronically--Regulations.gov: Go to
https://regulations.gov. Enter Docket ID OCC-2026-0331 in the Search
Box and click ``Search.'' Click on the ``Documents'' tab and then the
document's title. After clicking the document's title, click the
``Document Comments'' tab. Comments can be viewed and filtered by
clicking on the ``Sort By'' drop-down on the right side of the screen
or the ``Refine Results'' options on the left side of the screen.
Supporting materials can be viewed by clicking on the ``Documents''
tab. Click on the ``Sort By'' drop-down on the right side of the screen
or the ``Refine Documents Results'' options on the left side of the
screen checking the ``Supporting & Related Material'' checkbox. For
assistance with the regulations.gov site, please call 1-866-498-2945
(toll free) Monday-Friday, 9 a.m.-5 p.m. ET, or email
[email protected].
The docket may be viewed after the close of the comment period in
the same manner as during the comment period.
Board: You may submit comments, identified by Docket No. R-1885 and
RIN 7100-AH18, by any of the following methods:
Agency Website: https://www.federalreserve.gov. Follow the
instructions for submitting comments at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
Email: [email protected]. Include docket
and RIN numbers in the subject line of the message.
Fax: (202) 452-3819 or (202) 452-3102.
Mail: Benjamin W. McDonough, Secretary, Board of Governors
of the Federal Reserve System, 20th Street and Constitution Avenue NW,
Washington, DC 20551.
Instructions: All public comments are available from the
Board's website at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted. Accordingly, comments will not be edited
to remove any identifying or contact information. Public comments may
also be viewed electronically or on paper in Room M-4365A, 2001 C
Street NW, Washington, DC 20551, between 9 a.m. and 5 p.m. during
Federal business weekdays. For security reasons, the Board requires
that visitors make an appointment to inspect comments. You may do so by
calling (202) 452-3684. Upon arrival, visitors will be required to
present valid government-issued photo identification and to submit to
security screening in order to inspect and photocopy comments. For
users of TTY-TRS, please call 711 from any telephone, anywhere in the
United States.
FDIC: You may submit comments, identified by RIN 3064-AG28, by any
of the following methods:
[[Page 37235]]
FDIC Website: https://www.fdic.gov/federal-register-publications. Follow instructions for submitting comments on the agency
website.
Email: [email protected]. Include RIN 3064-AG28 in the
subject line of the message.
Mail: Jennifer M. Jones, Deputy Executive Secretary,
Attention: Comments--RIN 3064-AG28, Federal Deposit Insurance
Corporation, 550 17th Street NW, Washington, DC 20429.
Hand Delivery to FDIC: Comments may be hand-delivered to
the guard station at the rear of the 550 17th Street NW building
(located on F Street) on business days between 7 a.m. and 5 p.m.
Public Inspection: Comments received, including any
personal information provided, may be posted without change to https://www.fdic.gov/federal-register-publications. Commenters should submit
only information that the commenter wishes to make available publicly.
The FDIC may review, redact, or refrain from posting all or any portion
of any comment that it may deem to be inappropriate for publication,
such as irrelevant or obscene material. The FDIC may post only a single
representative example of identical or substantially identical
comments, and in such cases will generally identify the number of
identical or substantially identical comments represented by the posted
example. All comments that have been redacted, as well as those that
have not been posted, that contain comments on the merits of the
proposed rule will be retained in the public comment file and will be
considered as required under all applicable laws. All comments may be
accessible under the Freedom of Information Act.
NCUA: You may submit comments, identified by RIN 3133-AG09, by any
of the following methods (please send comments by one method only):
Federal eRulemaking Portal: https://www.regulations.gov.
The docket number for this proposed rule is NCUA-2026-0793. Follow the
instructions for submitting comments. A plain language summary of the
proposed rule is also available on the docket website.
Mail: Address to Melane Conyers-Ausbrooks, Secretary of
the Board, National Credit Union Administration, 1775 Duke Street,
Alexandria, Virginia 22314-3428.
Hand Delivery/Courier: Same as mailing address.
Public inspection: You may view all public comments on the
Federal eRulemaking Portal at https://www.regulations.gov, as
submitted, except for those we cannot post for technical reasons. The
NCUA will not edit or remove any identifying or contact information
from the public comments submitted. If you are unable to access public
comments on the internet, you may contact the NCUA for alternative
access by calling (703) 518-6540 or emailing [email protected].
FOR FURTHER INFORMATION CONTACT:
FinCEN: The FinCEN Regulatory Support Section by submitting an
inquiry at www.fincen.gov/contact.
OCC: Kenneth Kohrs, BSA/AML Lead Expert, Office of the Chief
National Bank Examiner; Jina Cheon, Assistant Director, Melissa
Lisenbee, Counsel, or Henry Barkhausen, Counsel, Bank Advisory Group,
Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of
the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf,
hard of hearing, or have a speech disability, please dial 7-1-1 to
access telecommunications relay services.
Board: Division of Supervision and Regulation, Lara Lylozian,
Deputy Associate Director, (202) 815-9088, Lee Davis, Lead BSA/AML
Policy Analyst, (202) 740-8219, [email protected], Legal Division,
Jason Gonzalez, Deputy Associate General Counsel, (202) 452-3275,
[email protected], Bernard Kim, Special Counsel, (202) 452-3083,
[email protected].
FDIC: Patricia Colohan, Deputy Director, (202) 898-7283,
[email protected], Division of Risk Management Supervision; Chase
Lubbock, Associate Director, (703) 254-0802, [email protected],
Division of Risk Management Supervision; Christy Cornell-Pape, Acting
Chief, Financial Crimes, (415) 808-8090, [email protected],
Division of Risk Management Supervision; Deborah Tobolowsky, Counsel,
(571) 309-2415, [email protected], Legal Division; Chantal
Hernandez, Counsel, (202) 898-7388, [email protected], Legal
Division; Thomas Krepp, Senior Attorney, (678) 916-2265,
[email protected], Legal Division; Lea Pfeifer, Senior Attorney, (972)
761-8244, [email protected], Legal Division; Maryann Bullion Mitchell,
Senior Attorney, (571) 858-8239, [email protected], Legal
Division; Nicholas Kazmerski, Counsel, (571) 309-3136,
[email protected], Legal Division.
NCUA: Michael Dondarski, Associate Director, Office of Examination
& Insurance, (703) 772- 4751, [email protected]; Janell Portare,
Director, Fraud and Anti-Money Laundering Division, Office of
Examination & Insurance, (703) 548-2752, [email protected]; Gira Bose,
Senior Staff Attorney, Office of General Counsel, (703) 518-6540,
[email protected].
SUPPLEMENTARY INFORMATION:
I. Introduction
This proposal implements the GENIUS Act's directives to treat
permitted payment stablecoin issuers (PPSIs) as financial institutions
for purposes of the Bank Secrecy Act (BSA) and to require such issuers
to maintain an ``effective customer identification program, including
identification and verification of account holders.'' \1\ This notice
of proposed rulemaking (NPRM) is being issued jointly by FinCEN, along
with the OCC, Board, FDIC, and NCUA (each an ``Agency'' and
collectively ``the Agencies'') as applied to the PPSIs that each Agency
supervises.\2\ The proposal would also apply to PPSIs that opt for
state supervision under the GENIUS Act.\3\
---------------------------------------------------------------------------
\1\ See 12 U.S.C. 5903(a)(5)(A)(v); see also 31 U.S.C. 5318(l).
\2\ The GENIUS Act outlines the reserve, capital, liquidity, and
risk management requirements for PPSIs and tasks implementing those
requirements to the OCC, Board, FDIC, NCUA, and, as applicable, any
State payment stablecoin regulators. See 12 U.S.C. 5903(a)(4). The
OCC, Board, FDIC, and NCUA are tasked with establishing a process
and framework for the licensing, regulation, examination, and
supervision of PPSIs under their respective purviews. See 12 U.S.C.
5901(25) (defining ``primary Federal payment stablecoin regulator''
and outlining the Agencies' respective jurisdictions for PPSIs).
\3\ See 12 U.S.C. 5903(c) (outlining option for state-level
regulatory regime for PPSIs with a consolidated total outstanding
issuance of not more than $10 billion), 5906 (outlining supervision
by State payment stablecoin regulators), 5901(30) (defining ``State
payment stablecoin regulator'').
---------------------------------------------------------------------------
Separately, FinCEN issued a rulemaking proposing changes to its
existing regulations to effectuate the GENIUS Act's direction to apply
BSA obligations to PPSIs. These changes include creation of a new part
in chapter X applicable to PPSIs, proposed part 1033, into which this
proposed rule would be incorporated.\4\
---------------------------------------------------------------------------
\4\ Office of Foreign Assets Control (OFAC) and FinCEN,
Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering
the Financing of Terrorism Program and Sanctions Compliance Program
Requirements, 91 FR 18582 (Apr. 10, 2026) [hereinafter PPSI AML/CFT
NPRM]. The PPSI AML/CFT NPRM was issued jointly by FinCEN with OFAC
because it also proposes implementation of the GENIUS Act's sanction
compliance program obligation.
---------------------------------------------------------------------------
II. Background and Authority
The GENIUS Act provides a comprehensive framework for the
regulation of payment stablecoins.\5\ The GENIUS Act requires that a
PPSI ``be treated as a financial institution for purposes of the Bank
Secrecy Act, and
[[Page 37236]]
as such, shall be subject to all Federal laws applicable to a financial
institution located in the United States relating to economic
sanctions, prevention of money laundering, customer identification, and
due diligence.'' \6\ In addition to this clear, general directive, the
GENIUS Act specifies that a PPSI's obligations include ``maintenance of
an effective customer identification program, including identification
and verification of account holders with the permitted payment
stablecoin issuer.'' \7\
---------------------------------------------------------------------------
\5\ GENIUS Act, Public Law 119-27, 139 Stat. 419 (2025)
(codified at 12 U.S.C. 5901-5916).
\6\ 12 U.S.C. 5903(a)(5)(A).
\7\ 12 U.S.C. 5903(a)(5)(A)(v).
---------------------------------------------------------------------------
The Bank Secrecy Act, or ``BSA,'' is the common name for a
collection of statutory authorities designed to, among other things,
safeguard the national security of the United States by combating money
laundering, the financing of terrorism, and other illicit finance
activity.\8\ The Secretary of the Treasury has delegated the authority
to implement, administer, and enforce the BSA and its associated
regulations to the Director of FinCEN.\9\ The BSA requires the
Secretary of the Treasury to prescribe ``minimum standards'' for
financial institutions regarding ``the identity of the customer that
shall apply in connection with the opening of an account,'' commonly
referred to as customer identification programs (CIPs).\10\ Under the
BSA, these minimum standards the Secretary of the Treasury prescribes
must include reasonable procedures for: (1) verifying the identity of
any person seeking to open an account to the extent reasonable and
practicable; (2) maintaining records of the information used to verify
a person's identity, including name, address, and other identifying
information; and (3) determining whether the person appears on any
lists of known or suspected terrorists or terrorist organizations
provided to the financial institution by any government agency.\11\ In
prescribing regulations related to these minimum standards, the BSA
directs the Secretary of the Treasury to ``take into consideration the
various types of accounts maintained by various types of financial
institutions, the various methods of opening accounts, and the various
types of identifying information available.'' \12\ For financial
institutions engaging in financial activity described in section 4(k)
of the Bank Holding Company Act of 1956, such regulations must be
jointly prescribed by the Secretary of the Treasury and the appropriate
Federal functional regulator.\13\
---------------------------------------------------------------------------
\8\ Certain parts of the Currency and Foreign Transactions
Reporting Act, its amendments, and the other statutes relating to
the subject matter of that Act, have come to be referred to as the
BSA. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-
1960, and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto, with
implementing regulations at 31 CFR chapter X. Consistent with that
understood meaning, as codified, the GENIUS Act defines the ``Bank
Secrecy Act'' to mean ``(A) section 1829b of this title [section 21
of the Federal Deposit Insurance Act]; (B) chapter 2 of title I of
Public Law 91-508 (12 U.S.C. 1951 et seq.); and (C) subchapter II of
chapter 53 of title 31, United States Code.'' 12 U.S.C. 5901(2).
\9\ See Treasury Order 180-01 (Jan. 14, 2020), para. 3,
available at https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01; see also 31 U.S.C.
310(b)(2)(I) (providing that the Director of FinCEN shall
``[a]dminister the requirements of subchapter II of chapter 53 of
this title, chapter 2 of title I of Public Law 91-508, and section
21 of the Federal Deposit Insurance Act, to the extent delegated
such authority by the Secretary of the Treasury'').
\10\ 31 U.S.C. 5318(l)(1).
\11\ 31 U.S.C. 5318(l)(2).
\12\ 31 U.S.C. 5318(l)(3).
\13\ 31 U.S.C. 5318(l)(4) (referencing section 509 of the Gramm-
Leach-Bliley Act for definition of ``Federal functional regulator''
and noting inclusion of the Commodity Futures Trading Commission).
Under section 509 of the Gramm-Leach-Bliley Act, the term ``Federal
functional regulator'' means (A) the Board of Governors of the
Federal Reserve System; (B) the Office of the Comptroller of the
Currency; (C) the Board of Directors of the Federal Deposit
Insurance Corporation; (D) the Director of the Office of Thrift
Supervision; (E) the National Credit Union Administration Board; and
(F) the Securities and Exchange Commission. 15 U.S.C. 6809(2)
(codifying section 509 of the Gramm-Leach-Bliley Act, Pub. L. 106-
102, title V, 113 Stat. 1443 (1999)); see also 31 CFR 1010.100(r)
(defining ``Federal functional regulator'').
---------------------------------------------------------------------------
FinCEN, jointly with the appropriate Federal functional regulators,
has issued implementing regulations imposing CIP obligations on various
types of financial institutions under the BSA, including banks,\14\
brokers or dealers in securities,\15\ mutual funds,\16\ and futures
commission merchants and introducing brokers.\17\ In contrast, money
transmitters do not have a CIP obligation, but they are required to,
for certain activity, verify an individual's identity.\18\ Stablecoin
issuers are presently subject to BSA obligations as financial
institutions and, more specifically, as money transmitters under
FinCEN's regulations, which are a type of money services business
(MSB).\19\
---------------------------------------------------------------------------
\14\ 31 CFR 1020.220; 31 CFR 1010.100(d) (defining ``bank,''
which includes each agent, agency, branch, or office within the
United States of banks, savings associations, credit unions, and
foreign banks).
\15\ 31 CFR 1023.220.
\16\ 31 CFR 1024.220.
\17\ 31 CFR 1026.220.
\18\ MSBs are required, as part of an AML program, to maintain
policies, procedures, and internal controls to verify customer
identification. 31 CFR 1022.210(d)(1)(i)(A). MSBs are also required
to, for transmittals of funds over $3,000, collect identifying
information and, at times, verify identity. 31 CFR 1010.410(e)(1)-
(3); see also 31 CFR 1022.400. MSBs also must verify and record
identifying information for transactions in currency that
individually or in aggregate exceed $10,000. See 31 CFR 1010.312;
see also 31 CFR 1022.312.
\19\ See 31 U.S.C. 5312(a)(2)(R) (defining as a ``financial
institution,'' in part, a ``person who engages as a business in the
transmission of currency, funds, or value that substitutes for
currency''); see also 31 U.S.C. 5312(a)(2)(J) (defining as a
``financial institution'' a ``business engaged in the exchange of
currency, funds, or value that substitutes for currency or funds'');
31 CFR 1010.100(ff)(5); FinCEN, FIN-2013-G001, Application of
FinCEN's Regulations to Persons Administering, Exchanging, or Using
Virtual Currencies (Mar. 18, 2013), available at https://www.fincen.gov/system/files/shared/FIN-2013-G001.pdf.
---------------------------------------------------------------------------
The GENIUS Act directs the Secretary of the Treasury to issue
regulations, tailored to the size and complexity of the PPSI, to
implement the GENIUS Act's treatment of PPSIs as financial institutions
for purposes of the BSA, including the requirement that PPSIs maintain
effective customer identification programs.\20\ The GENIUS Act also
directs the Secretary of the Treasury and each primary Federal payment
stablecoin regulator--the OCC, Board, FDIC, and NCUA--to issue
regulations through appropriate notice and comment rulemaking and to
coordinate, as appropriate, to carry out the Act.\21\ FinCEN and the
Agencies are issuing a single, joint rule, ensuring consistent and
uniform application of CIP requirements to all PPSIs subject to each
Agency's jurisdiction.\22\
---------------------------------------------------------------------------
\20\ 12 U.S.C. 5903(a)(5)(B). Pursuant to Treasury Order 101-05
and 31 U.S.C. 321(b)(2), the authority vested in the Secretary under
the GENIUS Act to issue regulations related to the prevention of
money laundering has been delegated to the Director of FinCEN.
\21\ 12 U.S.C. 5913(a)-(b); see also 12 U.S.C.
5903(a)(4)(A)(iv); 12 U.S.C. 5903(h).
\22\ Certain PPSIs, defined in the GENIUS Act as State qualified
payment stablecoin issuers, will not be overseen by a Federal
functional regulator. See 12 U.S.C. 5901(31); 12 U.S.C. 5906.
Consistent with FinCEN's historical practice, this proposed rule
generally treats these institutions in the same way it treats PPSIs
with a Federal functional regulator. FinCEN, Customer Identification
Program, Anti-Money Laundering Programs, and Beneficial Ownership
Requirements for Banks Lacking a Federal Functional Regulator, 85 FR
57129 (Sept. 15, 2020) (amending 31 CFR 1020.220 so banks lacking a
Federal functional regulator are covered by the bank CIP rule). For
purposes of State qualified payment stablecoin issuers, FinCEN is
issuing this proposal without a Federal functional regulator.
---------------------------------------------------------------------------
III. GENIUS Act Implementation
Treasury issued an advance notice of proposed rulemaking (ANPRM) in
September 2025 seeking public comment on potential Treasury regulations
implementing the GENIUS Act, including those imposing BSA, anti-money
laundering, and sanctions compliance program obligations.\23\ In
[[Page 37237]]
response to this ANPRM, Treasury received approximately 450 timely
comments from a variety of stakeholders, including banks and credit
unions, stablecoin issuers, digital asset exchanges, analytics
companies, law firms, trade associations, non-governmental
organizations, technology firms, academics, and members of the public.
In crafting this proposal, Treasury reviewed and considered the
pertinent comments, including those related to illicit finance topics.
---------------------------------------------------------------------------
\23\ Treasury, GENIUS Act Implementation, 90 FR 45159 (Sept. 19,
2025). The ANPRM also solicited comment on a range of potential
Treasury efforts related to the GENIUS Act that are outside the
purview of this rulemaking. For example, the ANPRM included
questions related to the GENIUS Act prohibition on digital asset
service providers offering and selling a payment stablecoin to any
person in the United States unless the payment stablecoin is issued
by a PPSI or a foreign payment stablecoin issuer that meets certain
requirements. Id. at 45160-61. It also included questions related to
Treasury's role in determining whether a state-level regulatory
regime is substantially similar to the federal framework and whether
a foreign country's regulatory and supervisory regime is comparable
to the U.S. framework. Id. at 45162-63.
---------------------------------------------------------------------------
This NPRM represents one piece of the comprehensive regulatory
framework for PPSIs set out in the GENIUS Act.\24\ In a separate
rulemaking, FinCEN has proposed a rule to implement the GENIUS Act's
directive to apply anti-money laundering obligations to PPSIs (referred
to as ``PPSI AML/CFT NPRM''), including program, reporting, and
recordkeeping obligations, among others.\25\ The PPSI AML/CFT NPRM
proposes adding several new definitions arising from the GENIUS Act to
chapter X, which are here used to describe this proposed rule. These
definitions include ``digital asset,'' \26\ ``distributed ledger,''
\27\ ``payment stablecoin,'' \28\ ``permitted payment stablecoin
issuer,'' \29\ ``primary Federal payment stablecoin regulator,'' \30\
``Federal qualified payment stablecoin issuer,'' \31\ ``State payment
stablecoin regulator,'' \32\ and ``State qualified payment stablecoin
issuer.'' \33\ Generally speaking, the proposed definitions in the PPSI
AML/CFT NPRM track the language the GENIUS Act uses to define those
terms, with a few proposed technical modifications that are intended to
be non-substantive.
---------------------------------------------------------------------------
\24\ See, e.g., FDIC, Approval Requirements for Issuance of
Payment Stablecoins by Subsidiaries of FDIC-Supervised Insured
Depository Institutions, 90 FR 59409 (Dec. 19, 2025); NCUA,
Investments in and Licensing of Permitted Payment Stablecoins
Issuers, 91 FR 6531 (Feb. 12, 2026); OCC, Implementing the Guiding
and Establishing National Innovation for U.S. Stablecoins Act for
the Issuance of Stablecoins by Entities Subject to the Jurisdiction
of the Office of the Comptroller of the Currency, 91 FR 10202 (Mar.
2, 2026); Treasury, GENIUS Act Broad-Based Principles for
Determining Whether a State-Level Regulatory Regime Is Substantially
Similar to the Federal Regulatory Framework, 91 FR 16844 (Apr. 3,
2026); FDIC, GENIUS Act Requirements and Standards for FDIC-
Supervised Permitted Payment Stablecoin Issuers and Insured
Depository Institutions, 91FR 18534 (Apr. 10, 2026).
\25\ See PPSI AML/CFT NPRM, supra note 4.
\26\ See 12 U.S.C. 5901(6).
\27\ See 12 U.S.C. 5901(8).
\28\ See 12 U.S.C. 5901(22).
\29\ See 12 U.S.C. 5901(23).
\30\ See 12 U.S.C. 5901(25).
\31\ See 12 U.S.C. 5901(11).
\32\ See 12 U.S.C. 5901(30).
\33\ See 12 U.S.C. 5901(31).
---------------------------------------------------------------------------
IV. Overview of Stablecoins and Issuers
The GENIUS Act only governs a subcategory of stablecoins, namely
``payment stablecoins'' as defined by the GENIUS Act, and a subcategory
of actors in the payment stablecoin ecosystem, most critically for this
rulemaking, PPSIs.\34\ Thus, under the GENIUS Act, not all stablecoins
are payment stablecoins and not all stablecoin issuers will be eligible
to be PPSIs. Because the GENIUS Act framework is not yet in place,
however, it is not determined which specific stablecoins will be
payment stablecoins and which specific stablecoin issuers will be
PPSIs. An understanding of the stablecoin ecosystem, uses of
stablecoins, and risks associated with stablecoins generally informs
the parameters of the proposed rule, including the rationale behind
certain proposed obligations.
---------------------------------------------------------------------------
\34\ See, e.g., 12 U.S.C. 5902, 5903.
---------------------------------------------------------------------------
A. Stablecoins and Their Uses
Stablecoins are a blockchain-based \35\ digital asset \36\ designed
to maintain a stable value relative to an underlying asset, most
often--but not always--a fiat currency.\37\ Most stablecoin issuers use
smart contracts \38\ to issue stablecoins, enable or prohibit
subsequent transactions in the stablecoin, and redeem stablecoins. The
smart contracts underlying most stablecoins maintain a ledger of the
number of stablecoins ``owned by a set of accounts where each account
is owned by a blockchain address'' or wallet.\39\
---------------------------------------------------------------------------
\35\ A blockchain is ``any technology where data is: (i) shared
across a network to create a public ledger of verified transactions
or information among network participants; (ii) linked using
cryptography to maintain the integrity of the public ledger and to
execute other functions; (iii) distributed among network
participants in an automated fashion to concurrently update network
participants on the state of the public ledger and any other
functions; and (iv) composed of source code that is publicly
available.'' Executive Order (E.O.) 14178, Strengthening American
Leadership in Digital Financial Technology, sec. 2(b), 90 FR 8647
(Jan. 31, 2025).
\36\ For this proposed rule, a ``digital asset'' is ``any
digital representation of value that is recorded on a
cryptographically secured distributed ledger.'' See 12 U.S.C.
5901(6).
\37\ White House, Strengthening American Leadership in Digital
Financial Technology, p. 88 (July 2025) [hereinafter E.O. 14178
Report], available at https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf. This report was issued by
the Presidential Working Group on Digital Asset Markets, of which
the Secretary of the Treasury is a member, pursuant to E.O. 14178.
\38\ A smart contract is a ``collection of code and data . . .
that is deployed using cryptographically signed transactions'' on a
blockchain network, which is executed by nodes on a blockchain to
perform any given set of pre-determined functions or conditions that
are recorded on a blockchain. See National Institute of Standards
and Technology (NIST), NISTIR 8202, Blockchain Technology Overview,
p. 32 (Oct. 2018) [hereinafter Blockchain Technology Overview],
available at https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8202.pdf (``A smart contract can perform calculations, store
information, expose properties to reflect a publicly exposed state
and, if appropriate, automatically send funds to other accounts.'').
\39\ NIST, NISTIR 8408, Understanding Stablecoin Technology and
Related Security Considerations, p. 6 (sec. 3.2) (Sept. 2023),
available at https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8408.pdf. The lynchpin of a blockchain is asymmetric (public
key) cryptography, which is used to secure and send transactions on
a blockchain. See Blockchain Technology Overview, supra note 38, p.
11. First, a user generates a private key (a string of characters
that function like a password) and uses that private key to generate
a public key (an account number on a blockchain known as an
address). Without the private key associated with an address or
public key, a user cannot access the digital assets contained
within. Developers have created software or hardware wallets to
enable users to manage their public and private keys and safeguard
their assets more easily. See E.O. 14178 Report, supra note 37, pp.
9-10.
---------------------------------------------------------------------------
The liquidity and stability of stablecoins relative to other
digital assets and rapid settlement of stablecoins make them appealing
to illicit actors as well as legitimate users.\40\ Currently, most
legitimate users primarily rely on stablecoins to store value or
facilitate trades in other digital assets. Payment stablecoins have the
potential, however, to become a more widely adopted form of
payment.\41\ Illicit actors have increasingly used stablecoins to
facilitate transactions and store proceeds.\42\ The U.S. government has
linked stablecoins to a range of illicit activities, including money
laundering, and bad actors, including scammers and fraudsters; \43\
Democratic People's Republic of Korea information technology workers,
cybercriminal groups, and related money laundering
[[Page 37238]]
networks; \44\ drug traffickers; \45\ terrorist groups; \46\ and
sanctions evasion and money laundering networks,\47\ among others.
---------------------------------------------------------------------------
\40\ See Treasury, 2026 National Money Laundering Risk
Assessment, p. 50 (Mar. 2026) [hereinafter 2026 NMLRA], available at
https://home.treasury.gov/system/files/246/2026-NMLRA.pdf; E.O.
14178 Report, supra note 37, p. 94.
\41\ E.O. 14178 Report, supra note 37, p. 91.
\42\ See 2026 NMLRA, supra note 40, p. 50.
\43\ See, e.g., Compl., United States v. Approximately
225,364,961 USDT, No. 25-cv-1907 (D.D.C. June 18, 2025) (civil
forfeiture action against more than $225.3 million in stablecoins
allegedly involved in concealing proceeds of digital assets
investment fraud); United States v. Su, No. 25-cr-362 (C.D. Cal.
Jan. 27, 2026) (defendant sentenced to 46 months in prison for role
in digital investment scam involving $36.9 million where victim
funds were converted to stablecoins).
\44\ See, e.g., Indictment, United States v. Sop, No. 23-cr-128
(D.D.C. Mar. 18, 2023) (alleging defendant laundered proceeds of
DPRK IT workers in violation of sanctions, including through use of
stablecoins); DOJ, Press Release, Department Files Civil Forfeiture
Complaint Against Over $7.74M Laundered on Behalf of the North
Korean Government (June 5, 2025), available at https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean; United States of
America v. Approximately 1,159,834.52 USDT, No. 25-cv-3771 (D.D.C.
Oct. 24, 2025) (civil forfeiture complaint of stablecoins related to
virtual currency heists perpetrated by DPRK hacking groups).
\45\ See, e.g., United States v. Zhang et al., No. 22-cr-10279
(Aug. 15, 2025) (defendants sentenced to prison in connection with
drug trafficking scheme involving conversion of proceeds to
stablecoins); see also, DOJ, Press Release, Two Men Sentenced for
Role in International Money Laundering and Drug Trafficking
Conspiracy (Aug. 15, 2025), available at https://www.justice.gov/usao-ma/pr/two-men-sentenced-role-international-money-laundering-and-drug-trafficking-conspiracy.
\46\ See, e.g., DOJ, Press Release, Justice Department Disrupts
Hamas Terrorist Financing Scheme Through Seizure of Cryptocurrency
(Mar. 27, 2025), available at https://www.justice.gov/opa/pr/justice-department-disrupts-hamas-terrorist-financing-scheme-through-seizure-cryptocurrency; United States of America v. Nine
Cryptocurrency Wallets Held by Tether Ltd. and Seven Cryptocurrency
Wallets Held by Binance Holdings Ltd., No. 24-cv-01251 (D.D.C. Nov.
13, 2025) (involving a civil forfeiture of approximately $2 million
dollars in digital currency connected to a Gaza-based money transfer
business that was involved in financially supporting Hamas).
\47\ Treasury, Press Release, Treasury Exposes Money Laundering
Network Using Digital Assets to Evade Sanctions (Dec. 4, 2024),
available at https://home.treasury.gov/news/press-releases/jy2735.
---------------------------------------------------------------------------
B. Issuers and Interactions With Users
Most stablecoins backed by financial assets, including fiat
currency, have centralized control, meaning that one company, or a
group of companies, are responsible for governance functions, including
defining and ensuring compliance with standards related to the
issuance, purchase, redemption, custody, and transfer of the
stablecoin.
Currently, many stablecoin issuers generally interact directly with
a small number of larger companies--which are often institutional
participants in the trading of digital assets (i.e., digital asset
exchanges).\48\ Those companies, in turn, interact with a larger and
more diverse group of users. Many stablecoin issuers predominantly
offer issue and redemption services to financial institutions,
including digital asset exchanges that may be regulated under the BSA
as MSBs.\49\ Generally, once an issuer issues stablecoins to such
financial institutions, those financial institutions put the
stablecoins into broader circulation to other users, such as individual
retail users.\50\
---------------------------------------------------------------------------
\48\ See Watsky, Cy, et al., Primary and Secondary Markets for
Stablecoins, FEDS Notes, Washington: Board of Governors of the
Federal Reserve System (Feb. 23, 2024), available at https://doi.org/10.17016/2380-7172.3447.
\49\ See id.; see also E.O. 14178 Report, supra note 37, p. 105.
\50\ See, e.g., E.O. 14178 Report, supra note 37, pp. 18-20.
---------------------------------------------------------------------------
Due to the use of smart contracts underlying stablecoin
transactions and how users interact with stablecoin issuers, the
ecosystem can, broadly speaking, be divided into two components, the
primary market and the secondary market. For purposes of this
rulemaking, FinCEN and the Agencies will use the term ``primary
market'' to generally describe a PPSI interacting directly with a user
or holder of a payment stablecoin, such as when a PPSI engages in
issuing, converting, redeeming, repurchasing, burning, and reissuing
payment stablecoins, as well as providing associated services, such as
providing custodial services.\51\ FinCEN and the Agencies will use the
term ``secondary market'' to describe payment stablecoin activity that
does not directly involve the PPSI as a party to the transaction other
than via a smart contract. For example, secondary market activity could
include an individual purchasing payment stablecoins from
intermediaries, an individual sending a payment stablecoin from a self-
hosted wallet to a vendor to purchase goods, an individual exchanging
payment stablecoins for another digital asset via a digital asset
exchange, or person-to-person transactions in payment stablecoins.
---------------------------------------------------------------------------
\51\ If consistent with the law and authorized by a primary
Federal stablecoin regulator or the State payment stablecoin
regulator, as applicable, PPSIs can also engage in activities as a
``digital asset service provider,'' as defined by the GENIUS Act,
and activities incidental thereto. Such activities include
exchanging and transferring digital assets. See 12 U.S.C.
5903(a)(7)(B), 5901(7). Such activity would also constitute primary
market activity.
---------------------------------------------------------------------------
V. Section-by-Section Analysis
As required by the GENIUS Act, this rulemaking proposes a CIP
obligation for accounts maintained by PPSIs.\52\ Obligations under this
proposal are comparable to existing CIP requirements for other
financial institutions, such as banks, brokers-dealers, mutual funds,
and futures commission merchants and introducing brokers in
commodities. PPSIs likely will frequently interact with financial
institutions that are already subject to CIP requirements, and in some
cases, PPSIs will be subsidiaries of insured depository institutions
with CIP requirements.\53\ Subjecting PPSIs to CIP requirements similar
to such institutions is expected to increase the effectiveness and
efficiency of CIP programs and facilitate the ability of PPSIs and
other financial institutions with CIP requirements to rely on another
institution's performance of any procedure related to a CIP, with the
recommended safeguards contained in proposed 31 CFR 1033.220(a)(6).
---------------------------------------------------------------------------
\52\ See 12 U.S.C. 5903(a)(5)(A)(v).
\53\ As explained more fully in the PPSI AML/CFT NPRM, supra
note 4, in some cases PPSIs will be subsidiaries of insured
depository institutions, which have CIP requirements, or be
chartered by the OCC as national trust banks. See 12 U.S.C.
5901(11), (23).
---------------------------------------------------------------------------
In crafting this proposal, FinCEN and the Agencies have considered
the statutory factors articulated in the BSA, specifically the various
types of accounts PPSIs may maintain, the various methods of opening
accounts, and the various types of identifying information
available.\54\ Most notably, FinCEN and the Agencies recognize that
these factors may vary significantly by the size and complexity of the
PPSI, the activities in which it engages, and the types of customers it
has. Accordingly, rather than prescribe a one-size-fits-all approach,
FinCEN and the Agencies direct that a PPSI's CIP should address the
types of accounts it intends to maintain, how it allows those accounts
to be opened, and the types of identifying information available. In
defining ``account,'' as noted below, the proposal takes into
consideration the range of activities in which a PPSI can engage and
the types of accounts that a PPSI may maintain.
---------------------------------------------------------------------------
\54\ See 31 U.S.C. 5318(l)(3).
---------------------------------------------------------------------------
Relatedly, as mentioned above, the GENIUS Act directs the Secretary
to tailor BSA obligations to the size and complexity of an issuer.\55\
This proposal meets that requirement by proposing regulatory text that
requires a PPSI to tailor its CIP to that PPSI's size and type of
business, as well as take into consideration the PPSI's risk based on
its unique business--including the types of accounts it has, how those
accounts are opened, and the identifying information available. Other
policy options to tailor for size and complexity were considered
including, for example, a CIP obligation that would fluctuate solely
based on the size of an issuer. FinCEN and the Agencies have
preliminarily assessed, however, that such an approach, however, could
harm national security by providing weaker points of entry to the
financial system, but request comment on its approach. This CIP
proposal necessarily results in tailored obligations, which comports
with the GENIUS Act, mitigates the risk of weaker points of entry, and
best
[[Page 37239]]
protects the U.S. financial system from illicit activity.
---------------------------------------------------------------------------
\55\ 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
A. Proposed 31 CFR 1033.100--Definitions
FinCEN and the Agencies propose promulgating in Sec. 1033.100
three new definitions with respect to the proposed CIP obligation--
account, customer, and digital asset service provider.\56\ The
definitions are proposed for purposes of this CIP rulemaking and would
only apply to the CIP obligation unless otherwise expressly noted.\57\
---------------------------------------------------------------------------
\56\ This proposal's definitions are in addition to other terms
defined in the GENIUS Act and proposed to be codified by FinCEN as
part of the PPSI AML/CFT NPRM, see supra note 4, most notably,
``digital asset,'' ``distributed ledger,'' ``payment stablecoin,''
``permitted payment stablecoin issuer,'' ``primary Federal payment
stablecoin regulator,'' ``Federal qualified payment stablecoin
issuer,'' ``State payment stablecoin regulator,'' and ``State
qualified payment stablecoin issuer.''
\57\ As noted in the PPSI AML/CFT NPRM, see supra note 4, for
example, the term ``account'' is used in various FinCEN regulations
and in the GENIUS Act, but the definition of account in this
proposed CIP rule generally only applies to CIP requirements set out
in this proposed rule, part 1033, unless otherwise expressly noted.
Compare 31 CFR 1010.230(c) (referencing in beneficial ownership
requirement the CIP definitions of ``account'') with 1010.605(c)(2)
(defining ``account'' for purposes of special due diligence
obligations for correspondent accounts and private banking accounts,
without reference to the CIP definitions of ``account''). As
discussed in the PPSI AML/CFT NPRM, the GENIUS Act directs that
PPSIs have the technological capability to comply, and will comply,
with the terms of any lawful orders. See 12 U.S.C. 5903(a)(6)(B).
Lawful order is defined, in part, by using ``account.'' See 12
U.S.C. 5901(16)(B). FinCEN is not intending, however, to apply the
proposed CIP definition of account to that obligation.
---------------------------------------------------------------------------
The definitions discussed in this proposal are designed to clarify
that a PPSI's CIP obligation extends to direct relationships, i.e.,
primary market activity, and does not extend to activity where the only
interaction is with a PPSI's smart contract. Consistent with the BSA,
the CIP requirements for other types of financial institutions extend
to where an institution has some sort of formal relationship with an
individual or entity.\58\ Based on the language in section 4(a)(5) of
the GENIUS Act, and the analysis undertaken by FinCEN and the Agencies
of the stablecoin ecosystem, FinCEN and the Agencies assess that the
term ``customer'' in section 4(a)(5) related to ``customer
identification program'' pertains to circumstances where the
``customer'' and a PPSI have a direct interaction and relationship. Put
differently, the term ``customer'' is not meant to apply where a
transfer is the result of third parties and a payment stablecoin user's
only interaction with the PPSI is through a smart contract.
---------------------------------------------------------------------------
\58\ See, e.g., 31 CFR 1020.100 (defining ``account'' in bank
CIP as ``a formal banking relationship''); 1023.100 (defining
``account'' in broker-dealer CIP as ``a formal relationship''); see
also 31 U.S.C. 5318(l) (setting forth obligations related to
verifying the identity of ``customers . . . in connection with the
opening of an account'').
---------------------------------------------------------------------------
Moreover, interaction with a smart contract does not currently
result in a PPSI acquiring the kind of information needed to verify an
identity. Imposing an obligation where any payment stablecoin transfer
could, for purposes of a CIP obligation, result in a customer and
account relationship with a PPSI would essentially impose on PPSIs a
global obligation to collect and verify identifying information of
individual users. FinCEN and the Agencies assess that such a CIP
obligation would be nearly impossible for PPSIs to implement and could
potentially cripple the industry. FinCEN and the Agencies, however,
seek comment on this approach and their assessment of the difficulties
of such a globally applicable CIP obligation.
1. Proposed 31 CFR 1033.100(a)--Account
FinCEN and the Agencies propose adding the definition of
``account'' at Sec. 1033.100(a). The proposed definition resembles how
``account'' is defined in other CIP rules, but contains unique
provisions that reflect the kinds of activities in which PPSIs can
engage. It also considers, as the BSA requires, the types of accounts
PPSIs may maintain.
The proposed text defines an ``account'' in paragraph (a)(1) as a
formal relationship between a PPSI and a customer, established to
provide or engage in services, dealings, or other financial
transactions. The ``formal relationship'' language mimics most other
CIP rules promulgated under the BSA.\59\ FinCEN and the Agencies are
proposing carrying this language over to the PPSI CIP to promote
consistency, efficiency, and the ability of institutions to rely on
each other for CIP procedures (subject safeguards). FinCEN and the
Agencies request comment, however, on whether the formal relationship
language is sufficiently clear.
---------------------------------------------------------------------------
\59\ See 31 CFR 1020.100(a)(1) (defining ``account'' for bank
CIP); 31 CFR 1023.100(a)(1) (defining ``account'' for broker-dealer
CIP); 31 CFR 1026.100(a)(1) (defining ``account'' for futures
commission merchants and introducing brokers in commodities CIP);
but see 31 CFR 1024.100(a)(1) (defining ``account'' for mutual fund
CIP as a ``contractual or other business relationship'').
---------------------------------------------------------------------------
Similar to the definition of ``account'' for other financial
institutions subject to CIP requirements, the proposed definition of
account contains an illustrative list of activities that may fall
within ``services, dealings, or other financial transactions.'' \60\
The proposed examples are based on the GENIUS Act's provision limiting
PPSI activities, including the GENIUS Act rule of construction that
clarifies a PPSI can engage in digital asset service provider
activities or activities incidental thereto to the extent where those
activities are consistent with all other Federal and State laws and
authorized by the appropriate primary Federal or State payment
stablecoin regulator.\61\ As proposed, the illustrative list would
include: (i) issuing or redeeming a payment stablecoin; (ii) managing
related reserves, including purchasing, selling, and holding reserve
assets or providing custodial services for reserve assets; (iii)
providing custodial or safekeeping services for payment stablecoins,
required reserves, or private keys of payment stablecoins; (iv) other
activities that directly support activities in paragraphs (a)(1)(i),
(ii), and (iii); or (v) providing services of a digital asset service
provider that are authorized by the primary Federal payment stablecoin
regulator or the State payment stablecoin regulator, as applicable,
consistent with all other Federal and State laws, provided that the
claims of payment stablecoin holders rank senior to any potential
claims of non-stablecoin creditors with respect to the reserve assets,
consistent with section 11 of the GENIUS Act. FinCEN and the Agencies
assess that providing such examples promotes clarity while leaving room
for innovations in the industry that could create new, but similar,
relationships between a PPSI and a person that involves a formal
relationship and could fall under the ``account'' definition.
---------------------------------------------------------------------------
\60\ See 31 CFR 1020.100(a), 1023.100(a), 1024.100(a),
1026.100(a).
\61\ See 12 U.S.C. 5903(a)(7).
---------------------------------------------------------------------------
Unlike with other types of financial institutions with CIP
requirements, an individual with no established relationship with a
PPSI could hold a PPSI's product, specifically a payment stablecoin,
and then seek to engage directly with a PPSI for a financial service.
For example, an individual who has no established relationship with the
PPSI could acquire a payment stablecoin from, for example, an exchange,
and seek to redeem it with the PPSI. That redemption could establish an
account with the PPSI and make the individual a customer. FinCEN
requests comment on whether the CIP proposal should be refined or
clarified to account for such activity.
The proposed definition also provides instances where activity does
not form an account relationship. Two of these
[[Page 37240]]
subparagraphs are intended to make clear that purely secondary market
payment stablecoin activity does not form a formal relationship between
a PPSI and a payment stablecoin user or holder. That list provides that
the term ``account'' does not include a product or service where a
formal relationship is not established with a person, such as payment
stablecoin activity that does not directly involve the PPSI as a party
to the transaction other than via a smart contract. It also specifies
that ownership or control of a PPSI's payment stablecoins alone,
without other indicators of a formal relationship, does not constitute
an account.
Consistent with other CIP rules, the proposed text further provides
that the term ``account'' does not include an account that the PPSI
acquires through an acquisition, merger, purchase of assets, or
assumption of liabilities from a financial institution regulated by a
Federal functional regulator or a bank regulated by a State bank
regulator or an account opened for the purpose of participating in an
employee benefit plan established under the Employee Retirement Income
Security Act of 1974.
2. Proposed 31 CFR 1033.100(b)--Customer
FinCEN and the Agencies propose adding the definition of
``customer'' at Sec. 1033.100(b) for the purposes of a PPSI's CIP
obligation. The proposal would define customer as (i) a person that
opens a new account; and (ii) an individual who opens a new account
for: (A) an individual who lacks legal capacity, such as a minor; or
(B) an entity that is not a legal person, such as a civic club.
The proposed definition also provides that the term ``customer''
does not include: (i) a financial institution regulated by a Federal
functional regulator or a bank regulated by a State bank regulator;
(ii) a person described in Sec. 1020.315(b)(2) through (4) of 31 CFR
chapter X; (iii) a person that has an existing account with the PPSI,
provided the PPSI has a reasonable belief that it knows the true
identity of the person; or (iv) a person acquiring or redeeming a
payment stablecoin from a means other than directly from or directly to
the PPSI. The final provision promotes FinCEN and the Agencies'
determination that transfers of payment stablecoins on the secondary
market do not make a party to the transfer a customer of a PPSI.
3. Proposed 31 CFR 1033.100(c)--Digital Asset Service Provider
FinCEN and the Agencies propose adding a definition of ``digital
asset service provider'' at Sec. 1033.100(c) for the purposes of a
PPSI's CIP obligations because the term is used in the proposed
definition of ``account.'' As discussed, the GENIUS Act expressly
reserves the ability of a PPSI to engage in the digital asset service
provider activities, where such activities are authorized by the
appropriate primary Federal payment stablecoin regulator or State
payment stablecoin regulator.\62\ To help ensure such activities are
appropriately included in activities that could create an account
relationship with a PPSI, FinCEN and the Agencies propose defining
``digital asset service provider'' for CIP purposes.
---------------------------------------------------------------------------
\62\ 12 U.S.C. 5903(a)(7)(B).
---------------------------------------------------------------------------
The proposed definition of ``digital asset service provider'' is
consistent with the definition provided in the GENIUS Act, with certain
modifications in light of preexisting FinCEN regulatory
definitions.\63\ Under the proposed rule, the term ``digital asset
service provider'' would mean an individual, partnership, company,
corporation, association, trust, estate, cooperative organization, or
other business entity, incorporated or unincorporated that, for
compensation or profit, engages in business in the United States
(including on behalf of customers or users in the United States) of:
(A) exchanging digital assets for monetary value, meaning a national
currency or deposit denominated in a national currency; (B) exchanging
digital assets for other digital assets; (C) transferring digital
assets to a third party; (D) acting as a digital asset custodian; or
(E) participating in financial services relating to digital asset
issuance. The proposed definition also provides that the term ``digital
asset service provider'' does not include: (i) a distributed ledger
protocol; (ii) developing, operating, or engaging in the business of
developing distributed ledger protocols or self-custodial software
interfaces; (iii) an immutable and self-custodial software interface;
(iv) developing, operating, or engaging in the business of validating
transaction or operating a distributed ledger; or (v) participating in
a liquidity pool or other similar mechanism for the provisioning of
liquidity for peer-to-peer transactions. The proposed definition of
digital asset service provider will also state the meaning of
``distributed ledger protocol,'' as defined by 12 U.S.C. 5901(9).
---------------------------------------------------------------------------
\63\ See 12 U.S.C. 5901(7).
---------------------------------------------------------------------------
This proposed definition modifies the GENIUS Act language in three
respects. None of the changes are intended to substantively change the
meaning of the GENIUS Act definition of digital asset service provider.
First, the proposed definition modifies the GENIUS Act definition
of digital asset service provider by replacing the statutory term
``person'' in that definition with the text the GENIUS Act uses to
define ``person'' in 12 U.S.C. 5901(24).\64\ This change is proposed
because the term ``person'' is already defined in FinCEN regulations at
31 CFR 1010.100(mm) \65\ and differs from the GENIUS Act definition of
``person.'' \66\ FinCEN's regulatory definition of person includes
Indian Tribes as defined in the Indian Gaming Regulatory Act, which the
GENIUS Act definition of person does not include. Further, FinCEN's
regulatory definition also does not characterize the entities that
comprise the category as ``business'' entities, as the GENIUS Act
definition does. To ensure the definition of ``digital asset service
provider'' for PPSIs accurately applies to the ``persons'' that
Congress intended, as evidenced by the GENIUS Act definition of the
term, FinCEN and the Agencies propose incorporating the GENIUS Act
definition of person into the regulatory definition of ``digital asset
service provider.''
---------------------------------------------------------------------------
\64\ See 12 U.S.C. 5901(24) (defining ``person'' as ``an
individual, partnership, company, corporation, association, trust,
estate, cooperative organization, or other business entity,
incorporated or unincorporated'').
\65\ See 31 CFR 1010.100(mm) (defining ``Person'' as ``An
individual, a corporation, a partnership, a trust or estate, a joint
stock company, an association, a syndicate, joint venture, or other
unincorporated organization or group, an Indian Tribe (as that term
is defined in the Indian Gaming Regulatory Act), and all entities
cognizable as legal personalities'').
\66\ See 12 U.S.C. 5901(24).
---------------------------------------------------------------------------
Second, the proposed definition of ``digital asset service
provider'' incorporates the GENIUS Act definition of ``monetary value''
as provided in 12 U.S.C. 5901(17).\67\ FinCEN has two similar terms,
``monetary instruments'' and ``currency,'' that are already defined in
its regulations at 31 CFR 1010.100(dd) \68\ and 31 CFR
[[Page 37241]]
1010.100(m).\69\ To avoid confusion between the existing definitions
and the definition in the GENIUS Act, FinCEN and the Agencies propose
including the GENIUS Act definition of ``monetary value'' within the
definition of ``digital asset service provider.''
---------------------------------------------------------------------------
\67\ See 12 U.S.C. 5901(17) (defining ``monetary value'' as ``a
national currency or deposit (as defined in section [3 of the
Federal Deposit Insurance Act (12 U.S.C. 1813))] denominated in a
national currency'').
\68\ See 31 CFR 1010.100(dd) (defining ``Monetary instruments''
as ``(1) Monetary instruments include: (i) Currency; (ii) Traveler's
checks in any form; (iii) All negotiable instruments (including
personal checks, business checks, official bank checks, cashier's
checks, third-party checks, promissory notes (as that term is
defined in the Uniform Commercial Code), and money orders) that are
either in bearer form, endorsed without restriction, made out to a
fictitious payee (for the purposes of Sec. 1010.340), or otherwise
in such form that title thereto passes upon delivery; (iv)
Incomplete instruments (including personal checks, business checks,
official bank checks, cashier's checks, third-party checks,
promissory notes (as that term is defined in the Uniform Commercial
Code), and money orders) signed but with the payee's name omitted;
and (v) Securities or stock in bearer form or otherwise in such form
that title thereto passes upon delivery. (2) Monetary instruments do
not include warehouse receipts or bills of lading.'').
\69\ See 31 CFR 1010.100(m) (defining ``Currency'' as ``[t]he
coin and paper money of the United States or of any other country
that is designated as legal tender and that circulates and is
customarily used and accepted as a medium of exchange in the country
of issuance. Currency includes U.S. silver certificates, U.S. notes
and Federal Reserve notes. Currency also includes official foreign
bank notes that are customarily used and accepted as a medium of
exchange in a foreign country'').
---------------------------------------------------------------------------
Third, and finally, the proposed definition of ``digital asset
service provider'' also incorporates the GENIUS Act definition
``distributed ledger protocol'' as provided in 12 U.S.C. 5901(9).\70\
The term ``distributed ledger protocol'' is not otherwise used in the
proposed regulation, so FinCEN and the Agencies propose including the
term and its definition within the definition of ``digital asset
service provider.''
---------------------------------------------------------------------------
\70\ See 12 U.S.C. 5901(9) (defining ``distributed ledger
protocol'' as ``publicly available and accessible executable
software deployed to a distributed ledger, including smart contracts
or networks of smart contracts'').
---------------------------------------------------------------------------
B. Proposed 31 CFR 1033.220--Customer Identification Program
1. Proposed 31 CFR 1033.220(a) and (a)(1)--Minimum Requirements
Proposed Sec. 1033.220(a) would establish the minimum standards
for a CIP. Proposed Sec. 1033.220(a)(1) would require a PPSI to
establish and maintain a written CIP. The CIP would be required to be
appropriate for a PPSI's size and business.
As with the CIP rule for banks and other financial institutions
with CIP obligations, a PPSI's CIP would be required to be a part of
the PPSI's anti-money laundering and countering the financing of
terrorism (AML/CFT) program. As discussed in the PPSI AML/CFT NPRM,
FinCEN and the Agencies recognize the value of enterprise-wide
compliance efforts. Where a PPSI is a subsidiary of an insured
depository institution, FinCEN and the Agencies anticipate that the
enterprise may elect to extend a single AML/CFT program to both
entities and that doing so would be permissible so long as a
comprehensive AML/CFT program is reasonably designed to identify and
mitigate the risks posed by the different aspects of each entity's
business and activities and satisfies each of the risk-based AML/CFT
program and other applicable BSA and GENIUS Act requirements to which
the PPSI or parent is subject. Likewise, an enterprise may elect to
implement an enterprise-wide CIP rather than maintain separate CIPs for
a parent and subsidiary. In doing so, however, the enterprise-wide CIP
would need to account for the legal and regulatory obligations of both
the parent and subsidiary. Relatedly, where a PPSI is also a national
trust bank, the entity could create a single CIP covering all the
entity's regulatory obligations.
2. Proposed 31 CFR 1033.220(a)(2)--Identity Verification Procedures
Proposed Sec. 1033.220(a)(2) would impose obligations related to
identity verification procedures, effectuating 31 U.S.C. 5318(l)(2)(A).
It would require that the CIP include risk-based procedures for
verifying the identity of each customer to the extent reasonable and
practicable. The procedures must enable the PPSI to form a reasonable
belief that it knows the identity of each customer. The procedures must
be based on the PPSI's assessment of the relevant risks, including
those presented by the various types of accounts maintained by the
PPSI, the various methods of opening accounts provided by the PPSI, the
various types of identifying information available, and the PPSI's
size, location, and customer base.
As with existing CIP rules, the rule proposes to include the term
``risk-based'' as a descriptor of these procedures.\71\ The identity
verification procedures would need to be based on the PPSI's assessment
of the relevant risks, and take into consideration the types of
accounts the PPSI maintains, the different methods of opening accounts,
and the types of identifying information available.\72\ Ultimately the
procedures must enable the PPSI to form a reasonable belief that it
knows the true identity of the customer.\73\ A risk-based framework
reflects the fact that variations in customer relationships can present
varying levels of risks.\74\
---------------------------------------------------------------------------
\71\ See 31 CFR 1020.220(a)(2), 1023.220(a)(2), 1024.220(a)(2),
1026.220(a)(2).
\72\ See 31 U.S.C. 5318(l)(3).
\73\ See 31 U.S.C. 5381(l)(2)(A).
\74\ See Board, FDIC, FinCEN, NCUA, and OCC, Joint Statement on
the Risk-Based Approach to Assessing Customer Relationships and
Conducting Customer Due Diligence (July 6, 2022), available at
https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and.
---------------------------------------------------------------------------
i. Proposed 31 CFR 1033.220(a)(2)(i)--Customer Information Required
Proposed Sec. 1033.220(a)(2)(i) would specify identifying
information that a CIP must account for in procedures for opening an
account. The proposed rule would require a PPSI to obtain from each
customer the following information prior to opening an account: (1)
name; (2) date of birth, for an individual; or date of formation, for a
person that is not an individual; (3) address (a residential and
mailing address for individuals, or the principal place of business,
local office, or other physical address and mailing address for a
person other than an individual); and (4) an identification number.
The proposed rule would require that a PPSI collect a residential
or business street address for an individual. If the individual does
not have a residential or business street address, the individual may
provide an Army Post Office or a Fleet Post Office box number or the
residential or business street address of a next of kin or another
contact individual. If the customer is a corporation, partnership or
trust, it must provide the address of its principal place of business,
local office, or other physical location. A Post Office (PO) box is not
an acceptable type of address for the purposes of the proposed rule.
Similarly, although some virtual offices or commercial mail receiving
agencies provide an address for an entity or individual to use, similar
to a PO box, the address provided is not an actual place of business or
residence for the entity or individual and does not evidence a physical
location for the customer.\75\ Accordingly, such addresses are not
acceptable physical locations for purposes of the proposed rule.
---------------------------------------------------------------------------
\75\ See United States Postal Service, Domestic Mail Manual,
section 508.1.8 (Jan. 18, 2026), available at https://pe.usps.com/cpim/ftp/manuals/dmm300/508.pdf.
---------------------------------------------------------------------------
The proposed rule would also require collection of an
identification number. For U.S. persons this would be a taxpayer
identification number. For non-U.S. persons the identification number
could be one or more of the following: a taxpayer identification
number, passport number and country of issuance, alien identification
card number, or number and country of issuance of any other government-
issued document evidencing nationality or residence and bearing a
photograph or similar safeguard. For a non-U.S. person that is not an
individual and that does not have an identification number, the PPSI
must request alternative
[[Page 37242]]
government-issued documentation certifying the existence of the person.
The proposed rule provides an exception for persons applying for a
taxpayer identification number. However, the exception would require
that the CIP include procedures for confirming that the application for
a taxpayer identification number was filed, as well as obtaining the
taxpayer identification number within a reasonable period of time after
the account is opened.
ii. Proposed 31 CFR 1033.220(a)(2)(ii)--Customer Verification
Proposed Sec. 1033.220(a)(2)(ii) relates to CIP procedures for
verifying the identity of a customer using the information the PPSI has
collected. The proposed rule would require that the CIP contains
procedures for verifying the identity of each new customer within a
reasonable period of time after the customer's account is opened. The
procedures must describe when the PPSI will use documents, non-
documentary methods, or a combination of both methods.
FinCEN and the Agencies recognize the interest in leveraging
verifiable credentials and digital identity as part of account opening
procedures.\76\ Over 20 years ago when the bank CIP final rule was
promulgated, FinCEN and staff of the Board, FDIC, NCUA, OCC, and the
Office of Thrift Supervision (OTS) recognized in guidance that an
``electronic credential'' was one method that an institution could use
to form a reasonable belief that it knows the true identity of its
customer.\77\ Since that time, digital identity tools have become more
commonplace and more sophisticated. Notably, however, there are a
variety of digital identity tools and applications currently in
existence, as well as a significant number under development. These
tools vary in how they operate and in their trustworthiness.\78\
---------------------------------------------------------------------------
\76\ Treasury, Report to Congress from the Secretary of the
Treasury on Innovative Technologies to Counter Illicit Finance
Involving Digital Assets, pp. 17-22 (Mar. 2026) [hereinafter
Innovation Report], available at https://home.treasury.gov/system/files/246/GENIUS-Act-Illicit-Finance-Innovation-Congressional-Report-March-2026.pdf; see also E.O. 14178 Report, supra note 37,
pp. 112-13. The GENIUS Act tasked the Secretary with researching
innovative or novel models, techniques, or strategies that regulated
financial institutions use, or have the potential to use to detect
illicit activity, including money laundering, involving digital
assets, including digital identity verification solutions. 12 U.S.C.
5908. Treasury issued a request for comment in August 2025. See
Treasury, Request for Comment on Innovative Methods to Detect
Illicit Activity Involving Digital Assets, 90 FR 40148 (Aug. 18,
2025). Treasury issued the required congressional report on March 6,
2026.
\77\ FinCEN, FAQs: Final CIP Rule, p. 6 (Jan. 2004), available
at https://www.fincen.gov/system/files/guidance/finalciprule.pdf.
\78\ See E.O. 14178 Report, supra note 37, p. 112.
---------------------------------------------------------------------------
FinCEN and the Agencies propose that technological variation and
innovation are best accounted for by maintaining the flexibility in the
proposal relating to how a PPSI verifies a customer's identity. This
flexibility will enable individual PPSIs to assess its comfort level
with the trustworthiness of various tools and take into consideration
variation in tools and differences in risk. FinCEN and the Agencies
expect that PPSIs would treat different digital identity tools
differently. For example, a mobile ID or driver's license issued by a
state could constitute an ``unexpired government-issued identification
evidencing nationality or residence and bearing a photograph or similar
safeguard'' under proposed Sec. 1033.220(a)(2)(ii)(A). A digital
identity credential offered by a non-governmental entity that enables a
person to prove that they are who they claim to be without revealing
information other than that fact could, if appropriate as part of a
risk-based procedure, be a non-documentary verification method.
Accordingly, FinCEN and the Agencies are not proposing regulatory text
related to verifiable credentials and digital identities, but request
comment on this approach.
a. Proposed 31 CFR 1033.220(a)(2)(ii)(A)--Verification Through
Documents
The proposed rule states that if the PPSI is relying on documents
to verify a customer's identity, then the CIP must contain procedures
that set forth the documents that the PPSI will use. For an individual,
the PPSI could use an unexpired government-issued identification
evidencing nationality or residence that contains a photograph or
similar safeguard, such as a driver's license or passport. For a person
other than an individual, such as a corporation, partnership, or trust,
the document must show the existence of the entity, such as certified
articles of incorporation, a government-issued business license, a
partnership agreement, or a trust instrument.
b. Proposed 31 CFR 1033.220(a)(2)(ii)(B)--Verification Through Non-
Documentary Methods
For a PPSI relying on non-documentary methods to verify a
customer's identity, the proposed rule would require the CIP to contain
procedures that set forth the non-documentary methods the PPSI will
use. These methods may include contacting a customer; independently
verifying the customer's identity through the comparison of information
provided with respect to the customer with information obtained from a
consumer reporting agency, public database, or other source; checking
references with other financial institutions; or obtaining a financial
statement.
Under the proposed rule, the PPSI's non-documentary procedures
would be required to address situations where an individual is unable
to present an unexpired government-issued identification document that
bears a photograph or similar safeguard; the PPSI is not familiar with
the documents presented; the account is opened without obtaining
documents; the customer opens the account without meeting in person; or
the PPSI is otherwise presented with circumstances that increase the
risk that the PPSI will be unable to verify the true identity of a
customer through documents.
c. Proposed 31 CFR 1033.220(a)(2)(ii)(C)--Additional Verification for
Certain Customers
Proposed Sec. 1033.220(a)(2)(ii)(C) would require that a PPSI's
CIP address situations where, based on the PPSI's risk assessment of a
new account opened by a customer that is not an individual, the PPSI
will obtain information about individuals with authority or control
over such account to verify the customer's identity. This verification
method would apply only when the PPSI cannot verify the true identity
of a customer that is not an individual through either documentary or
non-documentary methods.
iii. Proposed 31 CFR 1033.220(a)(2)(iii)--Lack of Verification
FinCEN and the Agencies believe that, while the majority of
customers may be verified through documentary and non-documentary
methods, there may be instances where this is not possible. Proposed
Sec. 1033.220(a)(2)(iii) relates to CIP procedures in which the PPSI
cannot form a reasonable belief that it knows the true identity of a
customer. Under the proposed rule, these procedures would be required
to describe: (1) when the PPSI should not open an account; (2) the
terms under which a customer may use an account while the PPSI attempts
to verify the customer's identity; (3) when the PPSI should close an
account after attempts to verify a customer's identity fail; and (4)
when the PPSI should file a Suspicious Activity Report in accordance
with applicable law and regulation.
[[Page 37243]]
3. Proposed 31 CFR 1033.220(a)(3)--Records
The proposed rule in Sec. 1033.220(a)(3) states that the CIP must
include procedures for making and maintaining a record of all
information obtained by the PPSI through the CIP, effectuating 31
U.S.C. 5318(l)(2)(B). At a minimum, proposed Sec. 1033.220(a)(3)(i)
would require that the record include: (1) all identifying information
about a customer obtained under the CIP; (2) a description of any
document relied on to verify the identity of the customer under the
CIP, noting the type of document, any identification number contained
in the document, the place of issuance, and if any, the date of
issuance and expiration date; (3) a description of the methods and
results of any measures undertaken to verify the identity of a
customer; and (4) a description of the resolution of each substantive
discrepancy discovered when verifying the identifying information
obtained.
Additionally, the proposed rule states that a PPSI must retain the
identifying information about a customer obtained under Sec.
1033.220(a)(3)(i)(A) for five years after the date the account is
closed and the information regarding the verification of a customer's
identity records collected under Sec. 1033.220(a)(3)(i)(B), (C), and
(D) for five years after the record is made.
4. Proposed 31 CFR 1033.220(a)(4)--Comparison With Government Lists
Proposed Sec. 1033.220(a)(4) would require a PPSI's CIP to include
reasonable procedures for determining whether a customer appears on any
list of known or suspected terrorists or terrorist organizations issued
by any Federal government agency and designated as such by Treasury in
consultation with the Federal functional regulators, effectuating 31
U.S.C. 5318(l)(2)(C). The procedures would have to require the PPSI to
make such a determination within a reasonable period of time after the
account is opened, or earlier if required by another Federal law or
regulation or Federal directive issued in connection with the
applicable list. The procedures also would have to require the PPSI to
follow all Federal directives issued in connection with such lists.
Because Treasury and the Federal functional regulators have not yet
designated any such lists, the proposed rule cannot be more specific
with respect to the lists PPSIs must check in order to comply with this
provision. Accordingly, PPSIs would not have an affirmative duty under
this proposed regulation to seek out all lists of known or suspected
terrorists or terrorist organizations compiled by the Federal
government. Instead, PPSIs would receive separate notification
regarding the lists that must be consulted for purposes of this
provision.
Many PPSIs already have procedures in place for determining whether
customers' names appear on some Federal lists, including lists that
identify known terrorists and terrorist organizations. For example,
under current law, there are substantive legal requirements associated
with lists circulated by Treasury's Office of Foreign Assets Control
(OFAC). Failure to comply with these requirements may result in
criminal or civil penalties.
5. Proposed 31 CFR 1033.220(a)(5)--Customer Notice
The proposed rule states in Sec. 1033.220(a)(5) that the CIP must
include procedures for providing customers with adequate notice that
the PPSI is requesting information to verify their identities. Under
the proposed rule, notice would be considered adequate if the PPSI
generally described the identification requirements of this section and
provided such notice in a manner reasonably designed to ensure that a
prospective customer is able to view the notice, or is otherwise given
notice, before opening an account. For example, depending upon the
manner in which the account is opened, a PPSI may post a notice on its
website, include the notice in its account applications, or use any
other form of oral or written notice. The proposed rule provides a
sample notice.
6. Proposed 31 CFR 1033.220(a)(6)--Reliance on Another Financial
Institution
Proposed Sec. 1033.220(a)(6) would provide that a PPSI's CIP may
include procedures specifying when a PPSI may rely on another Federally
regulated financial institution's performance of a procedure with
respect to any PPSI customer that is opening or has opened an account.
Such reliance would have to be reasonable under the circumstances, and
the other financial institution on which the PPSI seeks to rely would
have to be subject to an AML/CFT program with CIP requirements, as well
as regulated by a Federal functional regulator.\79\ Additionally, the
institutions would have to have a contract requiring the institution on
which the PPSI seeks to rely to certify annually to the PPSI that it
has implemented an AML/CFT program and will perform (or its agent will
perform) the specified requirements of the PPSI's CIP. Critically, this
proposed provision would not change a PPSI's CIP obligation, and the
PPSI would remain responsible for its compliance.
---------------------------------------------------------------------------
\79\ See 31 CFR 1010.100(r) (defining ``Federal functional
regulator'' as ``(1) The Board of Governors of the Federal Reserve
System; (2) The Office of the Comptroller of the Currency; (3) The
Board of Directors of the Federal Deposit Insurance Corporation; (4)
The Office of Thrift Supervision; (5) The National Credit Union
Administration; (6) The Securities and Exchange Commission; or (7)
The Commodity Futures Trading Commission'').
---------------------------------------------------------------------------
This proposal is consistent with other CIP requirements under the
BSA, including the bank CIP regulation where, critically, some banks--
but not all banks--are overseen by a Federal functional regulator.\80\
It does, however, create a disparity between PPSIs that fall under a
primary Federal payment stablecoin regulator and a State payment
stablecoin regulator.\81\ A State qualified payment stablecoin issuer
would be able to rely on, for example, a procedure performed by a PPSI
that is a subsidiary of an insured depository institution. But a PPSI
that is a subsidiary of a Federally regulated depository institution,
would not be able to rely on a procedure performed by a State qualified
payment stablecoin issuer because such issuers are not overseen by a
Federal functional regulator.
---------------------------------------------------------------------------
\80\ See FinCEN, Customer Identification Program, Anti-Money
Laundering Programs, and Beneficial Ownership Requirements for Banks
Lacking a Federal Functional Regulator, 85 FR 57129 (Sept. 15, 2020)
(amending 31 CFR 1020.220 so banks lacking a Federal functional
regulator are covered by the bank CIP rule).
\81\ Compare 12 U.S.C. 5905 with 12 U.S.C. 5906.
---------------------------------------------------------------------------
While the proposal would not permit a PPSI to rely on another
entity to perform a CIP procedure unless such an entity is another
Federally regulated financial institution, it should not be construed
as restricting appropriate use of third parties to perform a service
related to a PPSI's CIP on the PPSI's behalf.\82\ In such cases,
however, the CIP obligation would remain with the PPSI.
---------------------------------------------------------------------------
\82\ Such third-party arrangements are contemplated, for
example, in FAQs issued by FinCEN, the Board, FDIC, NCUA, OCC, and
OTS. See Board, FDIC, FinCEN, NCUA, OCC, and OTS, Interagency
Interpretative Guidance on Customer Identification Program
Requirement under Section 326 of the USA Patriot Act, Customer
Notice FAQ 2 (Apr. 28, 2005), available at https://www.fincen.gov/resources/statutes-regulations/guidance/interagency-interpretive-guidance-customer-identification.
---------------------------------------------------------------------------
C. Proposed 31 CFR 1033.220(b)--Exemptions
Proposed Sec. 1033.220(b) would provide that the appropriate
Federal functional regulator, with the concurrence of the Secretary,
may by order or regulation, exempt any PPSI or any type of account from
the
[[Page 37244]]
requirements of this section. It also provides that the Secretary, with
the concurrence of the Federal functional regulator, may exempt any
PPSI or any type of account from the requirements of this section.
In issuing such exemptions, the Federal functional regulator and
the Secretary would consider whether the exemption is consistent with
the purposes of the BSA and with safety and soundness, as well as in
the public interest. It would also permit the Federal functional
regulator and Secretary to consider other necessary and appropriate
factors. Given that the GENIUS Act identifies the OCC, Board, FDIC, and
NCUA as a primary Federal payment stablecoin regulator for PPSIs under
their respective jurisdictions, in this proposed rule, FinCEN and the
Agencies retain ``Federal functional regulator'' consistent with its
use in the BSA CIP exemption provision, providing the Secretary of the
Treasury and the Federal functional regulator joint authority to issue
an exemption.\83\
---------------------------------------------------------------------------
\83\ See 31 U.S.C. 5318(l)(5).
---------------------------------------------------------------------------
D. Proposed 31 CFR 1033.220(c)--Other Requirements Unaffected
Proposed Sec. 1033.220(c) clarifies that nothing in Sec. 1033.220
relieves a PPSI of its obligation to comply with any other provision of
chapter X, including provisions concerning information that must be
obtained, verified, or maintained in connection with any account or
transaction, including requirements to have the technological
capability to comply with and to comply with the terms of any lawful
order.\84\
---------------------------------------------------------------------------
\84\ See 12 U.S.C. 5903(a)(6)(B).
---------------------------------------------------------------------------
E. Compliance Date
FinCEN and the Agencies propose that the rule would be effective 12
months after issuance of the final rule to allow sufficient time for
PPSIs to review and implement the requirements of the proposed rule.
VI. Request for Comments
FinCEN and the Agencies seek comments on all aspects of the
proposed rule and specifically seek comments on the following topics.
For all responses, commenters are encouraged to provide the basis for
any conclusions drawn in their comments.
1. Should any CIP requirement be extended to secondary market
activity? If yes, in what circumstances? What would be the benefits and
drawbacks of doing so?
2. Should FinCEN and the Agencies refine or clarify its definitions
of account, customer, or digital asset service provider? Are additional
definitions needed?
3. Should FinCEN and the Agencies retain ``formal relationship'' as
part of the definition of account? What are the hallmarks of a ``formal
relationship'' between a PPSI and a user? Should FinCEN and the
Agencies provide examples or attributes of a formal relationship in
guidance? Would other concepts be a better foundation for the account
definition, such as a contractual or business relationship, and why?
4. Should the proposed rule be clarified or refined to account for
situations where a customer's only desired relationship with a PPSI is
to redeem a payment stablecoin?
5. Should the regulatory text explicitly discuss digital identity
solutions or verifiable credentials? How could it best do so given the
range of tools available on the market?
6. What are the benefits and risks of using digital identity
solutions or verifiable credentials as part of verifying customers'
identities?
7. What is the expected likelihood that a PPSI would rely on
another PPSI's CIP or the CIP of another Federal functionally regulated
financial institution's CIP?
8. What, if anything, could be changed to make the proposed rule
more conducive to industry innovation? Explain how any changes would
positively or negatively impact PPSIs expected operations and illicit
finance risk to the U.S. financial system.
VII. Executive Order 14294
Section 5 of Executive Order 14294 directs that all future notices
of proposed rulemaking (NPRMs) and final rules published in the Federal
Register, the violation of which may constitute criminal regulatory
offenses, should include a statement identifying that the rule or
proposed rule is a criminal regulatory offense and the authorizing
statute.\85\ Executive Order 14294 directs agencies to draft this
statement in consultation with the Department of Justice.
---------------------------------------------------------------------------
\85\ E.O. 14294, Fighting Overcriminalization in Federal
Regulations, 90 FR 20363, sec. 5 (May 14, 2025).
---------------------------------------------------------------------------
Executive Order 14294 further directs that the regulatory text of
all NPRMs and final rules with criminal consequences published in the
Federal Register after May 9, 2025 should explicitly state a mens rea
requirement for each element of a criminal regulatory offense,
accompanied by citations to the relevant provisions of the authorizing
statute.
Willful violations of the proposed regulations set forth in this
proposed rule, if finalized, may be subject to criminal penalties
pursuant to 31 U.S.C. 5322 and regulations promulgated in 31 CFR
chapter X. The statutory authority for criminal liability requires a
mens rea of willfulness as an element pursuant to 31 U.S.C. 5322(a) and
31 U.S.C. 5322(b). FinCEN's existing regulation, 31 CFR 1010.840, that
sets out criminal penalties for violations of regulations promulgated
in 31 CFR chapter X also includes a mens rea of willfulness. The
Department of Justice was consulted in drafting this statement.
VIII. Regulatory Impact Analysis
FinCEN and the Agencies have analyzed the proposed rule as required
under E.O. 12866,\86\ E.O. 13563,\87\ E.O. 14192,\88\ the Regulatory
Flexibility Act (RFA),\89\ the Unfunded Mandates Reform Act of 1995
(UMRA),\90\ the Paperwork Reduction Act (PRA),\91\ the Riegle Community
Development and Regulatory Improvement Act of 1994,\92\ the Gramm-
Leach-Bliley Act,\93\ and the Providing Accountability Through
Transparency Act of 2023.\94\
---------------------------------------------------------------------------
\86\ E.O. 12866, Regulatory Planning and Review, 58 FR 51736
(Oct. 4, 1993).
\87\ E.O. 13563, Improving Regulation and Regulatory Review, 76
FR 3821 (Jan. 21, 2011).
\88\ See E.O. 14192, Unleashing Prosperity Through Deregulation,
90 FR 9065 (Feb. 6, 2025); Office of Management and Budget (OMB), M-
25-20, Guidance Implementing Section 3 of Executive Order 14192,
Titled ``Unleashing Prosperity Through Deregulation,'' (Mar. 26,
2025), available at https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-20-Guidance-Implementing-Section-3-of-Executive-Order-14192-Titled-Unleashing-Prosperity-Through-Deregulation.pdf.
\89\ 5 U.S.C. 601 et seq.
\90\ 2 U.S.C. 1532.
\91\ 44 U.S.C. 3506(c)(2)(A), 3507(a)(1)(D).
\92\ 12 U.S.C. 4802(a).
\93\ Public Law 106-102, section 722, 113 Stat. 1338, 1471
(1999), 12 U.S.C. 4809.
\94\ 5 U.S.C. 553(b)(4).
---------------------------------------------------------------------------
The Office of Information and Regulatory Affairs in the Office of
Management and Budget (OMB) has determined this proposed rule to be a
``significant regulatory action'' under section 3(f) of E.O. 12866.
FinCEN and the Agencies have included an Initial Regulatory Flexibility
Analysis (IRFA) pursuant to the RFA as the proposed rule may have a
significant economic impact on a substantial number of certain types of
potentially affected small entities.\95\ Pursuant to analysis
[[Page 37245]]
required by UMRA, FinCEN and the Agencies conclude it is unlikely that
the proposed rule, if implemented, would result in a novel annual
expenditure of more than $193 million by State, local, and Tribal
governments or by the private sector.\96\
---------------------------------------------------------------------------
\95\ This economic expectation is sensitive to key assumptions
about how potentially affected financial institutions would respond
to the proposed requirements. FinCEN requests comment on whether it
would instead be more reasonable to certify that the proposed rule
would not have a significant economic impact on a substantial number
of small entities, given that the Agencies are certifying for their
respective entities.
\96\ The UMRA requires an assessment of mandates with an annual
expenditure of $100 million or more, adjusted for inflation. 2
U.S.C. 1532(a). FinCEN and the Agencies have not anticipated
material changes in expenditures for State, local, and Tribal
governments, insofar as they would not participate in the primary
activities of monitoring or enforcing compliance of the newly
proposed requirements in a way that differs from current
involvement, thereby incurring novel incremental costs. But because
the proposed rule would affect entities in the private sector that
are covered financial institutions, FinCEN and the Agencies have
considered expenditures these private entities may incur, pursuant
to UMRA, as part of the regulatory impact in its assessment below.
---------------------------------------------------------------------------
As described above,\97\ the proposed rule would implement the
GENIUS Act's directives to treat PPSIs as financial institutions for
purposes of the BSA and to require such issuers to maintain an
``effective customer identification program, including identification
and verification of the identity of account holders.'' \98\ It includes
proposed requirements for a PPSI to establish and maintain a written
CIP; maintain risk-based procedures for verifying the identity of each
customer to the extent reasonable and practicable; maintain certain
records; and compare the customers' identity with government lists. The
proposal would also require a PPSI to include procedures for customer
notice related to verifying identity, allows reliance on another
financial institution's CIP under certain circumstances, and outlines
the ability of FinCEN and the Agencies to issue exemptions related to
the CIP requirement.
---------------------------------------------------------------------------
\97\ See supra section I; see also supra section V.
\98\ See 31 U.S.C. 5903(a)(5)(A), 5903(a)(5)(A)(v); see also 31
U.S.C. 5318(l).
---------------------------------------------------------------------------
In issuing this proposal, FinCEN and the Agencies contemplate a
number of benefits for PPSIs, regulators, other compliance examiners,
law enforcement and national security agencies, and the general public.
Such benefits include CIPs that effectively contribute to the detection
and deterrence of money laundering and terrorist financing, support
broader BSA policy goals, and help ensure that CIPs for PPSIs are
consistent with those required for other financial institution types
with CIP requirements, which should promote efficiencies and reduce
opportunities for regulatory arbitrage.
This regulatory impact analysis (RIA) begins by describing the
broad economic analysis FinCEN and the Agencies undertook to inform
their expectations of the proposed rule's economic impact and
burden.\99\ This is followed by pieces of additional and, in some
cases, more specifically tailored analysis as required by E.O.s 12866,
13563, and 14192; \100\ the RFA; \101\ the UMRA; \102\ and the
PRA.\103\ Requests for comments related to the RIA--regarding specific
findings, assumptions, or expectations, or with respect to the analysis
in its entirety--can be found in the final subsection.\104\ These
requests for comments have been previewed throughout the RIA.
---------------------------------------------------------------------------
\99\ See infra section VIII.A.
\100\ See infra section VIII.B.
\101\ See infra section VIII.C.
\102\ See infra section VIII.D.
\103\ See infra section VIII.E.
\104\ See infra section VIII.F.
---------------------------------------------------------------------------
A. Assessment of Impact
Consistent with best practices in regulatory economic analysis,
FinCEN and the Agencies' assessment of impact begins with an overview
of broad economic considerations, identifying, among other things, the
need for the policy intervention.\105\ Next, FinCEN and the Agencies
(1) establish baseline estimates of the number of covered PPSIs and
other entities, including insured depository institutions, that could
be affected by the proposed rule, and (2) describe the current
regulatory requirements and background practices against which the
proposed rule would introduce changes.\106\ The analysis then briefly
reviews elements of the proposed rule that most directly inform how
foreseeable economic impacts would flow from how PPSIs and their
respective regulators would engage in activities not expected to
otherwise be undertaken in order to comply.\107\ Next, the RIA presents
the anticipated benefits and estimated costs to the respective affected
parties that would be associated with the proposed CIP
obligations.\108\ Finally, the assessment concludes with a brief
discussion of alternative policies FinCEN and the Agencies considered
and could have proposed, including an evaluation of the relative
economic merits of each against the expected value of the rule as
proposed.\109\
---------------------------------------------------------------------------
\105\ See infra section VIII.A.1.
\106\ See infra section VIII.A.2.
\107\ See infra section VIII.A.3.
\108\ See infra section VIII.A.4.
\109\ See infra section VIII.A.5.
---------------------------------------------------------------------------
1. Broad Economic Considerations
In performing its assessment of impact, FinCEN and the Agencies
took into consideration certain fundamental economic problems that the
proposed rule is expected to address as well as the general social and
economic costs that may ensue from an AML/CFT and CIP regime for PPSIs
that is ineffective. Because this NPRM is being issued pursuant to
statutory obligations,\110\ the necessity for FinCEN and the Agencies
to independently identify and articulate fundamental economic problems
that the proposed rule is intended to address, as the basis for
regulatory action,\111\ is attenuated because at best this activity
would complement the problem identification already performed by
Congress.\112\ Nevertheless, FinCEN and the Agencies have remained
mindful of these animating considerations as well as the general social
and economic costs that may ensue from an ineffective AML/CFT
regime.\113\
---------------------------------------------------------------------------
\110\ See 12 U.S.C. 5903(a)(5)(A)(v); see also generally, supra
section II.
\111\ See E.O. 12866, Regulatory Planning and Review, 58 FR
51736, section 1(b)(1) (Oct. 4, 1993) (``Each agency shall identify
the problem that it intends to address (including, where applicable,
the failures of private markets or public institutions that warrant
new agency action) as well as assess the significance of that
problem.'').
\112\ See 12 U.S.C. 5903(a)(5)(A)(v).
\113\ In a related context, with respect to AML/CFT programs,
Congress instructed FinCEN to consider the potential economic
inefficiencies engendered by the presence of market externalities
when promulgating implementing regulations. See 31 U.S.C.
5318(h)(2)(B)(i) (stating financial institutions are spending
private compliance funds for a public and private benefit, including
protecting U.S. financial system from illicit finance risks); see
also 31 U.S.C. 5318(h)(2)(B)(iii) (stating that AML/CFT programs
safeguard national security and generate significant public benefits
by preventing illicit flows of funds and assisting law enforcement
and national security agencies with information).
---------------------------------------------------------------------------
FinCEN and the Agencies expect that the proposed rulemaking would
meaningfully alleviate certain underlying economic problems that could
otherwise impair the effective administration of the BSA and
potentially distort affected markets. These include potential problems
that flow from the incidence of both positive and negative
externalities in connection with customer identification activity and
the potential for regulatory arbitrage in the absence of uniform
minimum standards for financial institutions' CIPs.\114\
---------------------------------------------------------------------------
\114\ See, e.g., FinCEN, Anti-Money Laundering and Countering
the Financing of Terrorism Programs, 89 FR 55428, 55450 (July 3,
2024).
---------------------------------------------------------------------------
The expected benefits of the proposed rule, as discussed
below,\115\ are therefore linked by the extent to which the proposed
requirements would address these fundamental economic problems.
---------------------------------------------------------------------------
\115\ See infra section VIII.A.4.i.
---------------------------------------------------------------------------
2. Institutional Baseline and Affected Parties
In proposing this rule, FinCEN and the Agencies considered the
[[Page 37246]]
incremental impacts of the proposed CIP requirements relative to the
current state of the affected markets and their participants.\116\ This
baseline analysis of the parties that would be affected by the proposed
rule, their current CIP-like obligations and activities, and the costs
and/or benefits associated with those activities satisfies analytical
best practices by describing the alternative of not pursuing the
proposed, or any other, novel regulatory action.\117\ In each case, the
RIA has attempted to identify the incremental expected economic effects
of each component of the proposal as precisely as practicable against
this baseline. Nevertheless, in certain cases, FinCEN and the Agencies
can only make qualitative assessments.
---------------------------------------------------------------------------
\116\ In this context, FinCEN and the Agencies employ the term
``market'' in its broadest economic sense, referring to any set of
exchanges, transactions, or actions that involve counterparties with
unique objectives. The baseline here set forth also forms the
counterfactual against which the quantifiable effects of the rule
are measured; therefore, substantive errors in or omissions of
relevant data, facts, or other information may affect the
conclusions formed regarding the general and economically
significant impacts of the rule. FinCEN and the Agencies invite
comment on the accuracy of the baseline population estimates as well
as any supporting studies, data, or anecdotes.
\117\ See E.O. 12866, supra note 86, at section 1(a) (``In
deciding whether and how to regulate, agencies should assess all
costs and benefits of available regulatory alternatives, including
the alternative of not regulating.'').
---------------------------------------------------------------------------
As a first step in the process of isolating these anticipated
marginal effects, FinCEN and the Agencies assessed the regulatory and
market landscape facing the current stablecoin issuers, and potential
future PPSIs, that would be affected by the proposed rule, including an
estimate of the expected near-term number of potential PPSIs, their
existing regulatory requirements, and the burden they either would or
currently face in connection with the compliance activities the
proposed rule would require. FinCEN and the Agencies also briefly
discuss other categories of persons and entities (i.e., regulators,
compliance examiners, law enforcement and national security agencies,
and certain members of the general public) that are expected to be
directly affected by the proposed rule.
i. Regulatory Baseline
As discussed in section II, stablecoin issuers are already subject
to BSA obligations as MSBs, specifically, money transmitters. As MSBs,
stablecoin issuers are currently subject to a range of BSA obligations.
MSBs are required to, for instance, (i) establish and maintain written
AML programs \118\ that include policies, procedures, and internal
controls to verify customer identification; \119\ (ii) file currency
transaction reports; \120\ (iii) file Suspicious Activity Reports
(SARs); \121\ and (iv) maintain certain records, including those
relating to certain transmittals of funds.\122\ MSBs are required to
register with FinCEN \123\ and are subject to examination for BSA
compliance by the Internal Revenue Service (IRS).\124\
---------------------------------------------------------------------------
\118\ 31 CFR 1022.210.
\119\ 31 CFR 1022.210(d)(1)(i)(A).
\120\ 31 CFR 1022.310.
\121\ 31 CFR 1022.320.
\122\ 31 CFR 1022.400, 1010.410(e)-(f).
\123\ 31 CFR 1022.380.
\124\ 31 CFR 1010.810(b).
---------------------------------------------------------------------------
While MSBs are not subject to as many customer identification
requirements as other types of financial institutions under the BSA,
the BSA does require them to maintain policies, procedures, and
internal controls to verify customer identification \125\ and to
collect identification information for transmittals of funds over
$3,000--including the name, address, and identification document of an
individual requesting transmission \126\--and for transactions in
currency of more than $10,000.\127\
---------------------------------------------------------------------------
\125\ 31 CFR 1022.210(d)(1)(i)(A).
\126\ 31 CFR 1010.410(e)(1).
\127\ 31 CFR 1010.311, 110.312.
---------------------------------------------------------------------------
ii. Baseline of Expected Affected Parties
FinCEN and the Agencies have identified four distinct populations
expected to be directly affected, to varying degree, by the proposed
rule, namely: (1) PPSIs, (2) customers of PPSIs, (3) certain other
financial institutions, and (4) other less directly affected parties,
including regulators (including examiners working for or under the
authority of those regulators) and law enforcement and national
security agencies. To the extent that economic impact on additional
key, directly affected subpopulations of the general public should be
considered, FinCEN and the Agencies invite comments, data, studies, or
reports that would enhance its ability to identify and quantify such
effects.
a. PPSIs
FinCEN and the Agencies have conducted independent research with a
view to estimating the number of potential PPSIs that would exist in
the near-term future.\128\ Taking each of those independent exercises
into consideration, the proposed rule could be expected to apply to
approximately 50 PPSIs in each of the first three years of the GENIUS
Act being effective. Table 1 illustrates the anticipated distribution
of these potential PPSIs as organized by types as categorized in the
GENIUS Act's definition of ``permitted payment stablecoin issuer''
\129\ and proposed definition Sec. 1010.100(ttt). That proposed
definition contains three subtypes of PPSIs, specifically those that
are subsidiaries of insured depository institutions or credit unions
that have been approved to issue payment stablecoins by a primary
Federal payment stablecoin regulator (collectively ``subsidiaries of
insured depository institutions''); Federal qualified payment
stablecoin issuers (FQPSIs); and State qualified payment stablecoin
issuers (SQPSIs).\130\ As explained in proposed Sec. 1010.100(vvv), a
FQPSI is an entity approved by the OCC under 12 U.S.C. 5903 to issue
payment stablecoins and is either--(1) a nonbank entity, (2) an
uninsured national bank, or (3) a Federal branch.\131\
---------------------------------------------------------------------------
\128\ See, e.g., FDIC, Approval Requirements for Issuance of
Payment Stablecoins by Subsidiaries of FDIC-Supervised Insured
Depository Institutions, 90 FR 59409 (Dec. 19, 2025); NCUA,
Investments in and Licensing of Permitted Payment Stablecoins
Issuers, 91 FR 6531 (Feb. 12, 2026); OCC, Implementing the Guiding
and Establishing National Innovation for U.S. Stablecoins Act for
the Issuance of Stablecoins by Entities Subject to the Jurisdiction
of the Office of the Comptroller of the Currency, 91 FR 10202 (Mar.
2, 2026); FDIC, GENIUS Act Requirements and Standards for FDIC-
Supervised Permitted Payment Stablecoin Issuers and Insured
Depository Institutions, 91 FR 18534 (Apr. 10, 2026).
\129\ 12 U.S.C. 5901(23).
\130\ See PPSI AML/CFT NPRM, at section VI.C.1.ix, supra note 4;
see also 12 U.S.C. 5901(23).
\131\ See PPSI AML/CFT NPRM, at section VI.C.1.ix, supra note 4;
see also 12 U.S.C. 5901(23).
---------------------------------------------------------------------------
FinCEN expects that of the 50 anticipated PPSIs, approximately 60
percent should be subsidiaries of insured depository institutions and
40 percent not.132 133 Because FinCEN has not identified,
with more certainty than not, currently operating stablecoin issuers
that it expects will become SQPSIs within the PPSI regulatory framework
(as defined in proposed Sec. 1010.100(ttt)(3) and Sec.
1010.100(xxx)), the population used in this analysis does not further
distinguish its estimate for these types of potential future PPSIs from
other non-IDI subsidiary expected future PPSIs.\134\ Because these
projections represent best-effort estimates based on limited
information,
[[Page 37247]]
the public is strongly encouraged to provide additional comments, data,
and other information that could enhance the accuracy and precision of
these estimates.
---------------------------------------------------------------------------
\132\ See PPSI AML/CFT NPRM, at sections VI.C.1.xi and xiii,
supra note 4; see also 12 U.S.C. 5901(11), (31).
\133\ The OCC estimates that within the first year of the GENIUS
Act being effective, 12 currently non-OCC regulated institutions
would have PPSI-affiliated subsidiaries and 12 OCC-regulated
depository institutions would have PPSI affiliated subsidiaries.
\134\ See PPSI AML/CFT NPRM, at section VI.C.1.xiii, supra note
4; see also 12 U.S.C. 5901(31).
[GRAPHIC] [TIFF OMITTED] TP22JN26.011
[[Page 37248]]
b. Customers of PPSIs
FinCEN and the Agencies expect the general public to be affected by
the proposed rule, with certain subpopulations affected more directly
than others. In particular, FinCEN and the Agencies considered
customers of PPSIs, as the term ``customer'' is proposed to be defined
in this rulemaking. Although estimated payment stablecoin users number
in the hundreds of millions, a substantially smaller number (in the
hundreds of thousands) are likely to interact with PPSIs in the primary
market. Many of these customers are large financial institutions and
most large stablecoin issuers set significant financial requirements
for primary market participants that exclude retail-level
participation. In terms of volume, most primary market activity can be
attributed to these large entities. Most primary market activity, as
measured in transaction volume, is attributable to these large
entities. However, some issuers have increasingly adopted wider-facing
mint/redeem models that seek to include smaller investors and
businesses.
To estimate the number of expected primary market customers a
future PPSI might interact with, FinCEN examined current on-chain
minting and redemption activity as observable from publicly available
data. Almost all the stablecoin products meeting the GENIUS Act's
definitional criteria for future payment stablecoins that FinCEN
reviewed had fewer than 1,000 primary market customers in a given year,
which is consistent with prior expectations of high institutional
barriers. However, a small number of the stablecoins reviewed had
significantly more primary market contact (with over 250,000 customers)
in a given year. In the sample of issuers FinCEN reviewed, the average
number of an issuer's primary market customers was approximately
17,000, but this value appeared to be driven by extreme outliers. The
truncated average was approximately 1,000, and the median value was
100.\135\
---------------------------------------------------------------------------
\135\ To address the impact of extreme outliers, the truncated
mean was estimated by removing six percent of the sample from the
left and right tails of the distribution (the single smallest and
largest values). The largest value was more than three standard
deviations away from nearest value, making it a significant outlier.
---------------------------------------------------------------------------
Based on this analysis, FinCEN estimate that the ``average'' PPSI
would have approximately 1,000 primary market customers that it
interacts with directly, including issuing and redeeming payment
stablecoins and engaging in digital asset service provider activities
where those activities are authorized by the appropriate primary
Federal or the State payment stablecoin regulator and consistent with
all other Federal and State laws. However, some PPSIs are expected to
have substantially more or substantially less customers than this
estimate. In total, FinCEN does not expect the total number of unique
primary market PPSI customers to exceed 300,000. However, FinCEN
estimates that a substantial portion of these customers may be
affiliates of a single counterparty or associated with non-U.S.
entities.\136\ FinCEN estimates that the number of customers that are
U.S. businesses is likely no more than 10,000. As described earlier,
these businesses belong to several categories, including digital asset
exchanges, specialized digital asset commodities traders, and other
types of investment- and securities-related businesses. Besides digital
asset exchanges, FinCEN expects most of a PPSI's other customers are
likely to be financial institutions.\137\
---------------------------------------------------------------------------
\136\ In cases where these entities are not U.S. persons, the
incremental economic burdens of the proposed rule, while considered
as part of the broader economic analysis, are not included in the
IRFA because RFA considerations apply to U.S. small entities only.
\137\ Such firms would be classified under North American
Industry Classification System (NAICS) industry code 523
(``Securities, Commodity Contracts, and Other Financial Investments
and Related Activities'').
---------------------------------------------------------------------------
FinCEN also used publicly available data on on-chain minting and
redemption activity to analyze annual rates of customer growth and
turnover. Many of the stablecoin issuers reviewed retained the same
group of large ``core'' primary market customers year over year but
exhibited significant turnover among their smaller primary market
customers. In addition, most stablecoin issuers saw significant growth
in their primary market customer base during 2025. For purposes of
modeling expected economic effects, FinCEN and the Agencies assume that
this growth will continue, particularly among stablecoin issuers that
are able to secure PPSI registration. Of the stablecoin issuers FinCEN
reviewed, the average rate of new customer inflow, year over year, was
approximately 65 percent of the number of existing, previous customers.
Therefore, FinCEN and the Agencies apply this rate, where relevant,
when estimating the costs in the remaining analysis.
c. Other Financial Institutions
Certain other financial institutions may be affected by the
proposed rule. Although FinCEN and the Agencies cannot, at this time,
provide the specific number of expected affected financial institutions
in either category, there are two particular categories that could
reasonably be expected to be affected by the proposed CIP requirements
for PPSIs.
The first category includes insured depository institutions that
have a PPSI as a subsidiary. Because this RIA projects that there may
be up to 30 such PPSIs in the next three years, the corresponding
number of expected affected insured depository institutions would also
be up to 30. It is anticipated that an insured depository institution
would arrange for its subsidiary PPSI's CIP to nest within the
preexisting overall CIP structure of the parent organization. As such,
parent organizations may be economically affected by the need to
revise, expand, or otherwise tailor existing CIPs. FinCEN and the
Agencies expect, however, that similarities between the existing CIP
rule for banks and this proposal would minimize, though not eliminate,
this cost.
The second category of financial institutions expected to be
affected by the proposed CIP requirements includes those financial
institutions already subject to their own CIP obligations on which one
or more PPSIs would be able to rely for the performance of aspect of
its CIP obligations, pursuant to proposed Sec. 1033.220(a)(6), or
which themselves could rely upon a PPSI for the performance of some
aspect of their own CIP obligations, pursuant to the provision of the
financial institution's CIP regulation analogous to proposed Sec.
1033.220(a)(6).\138\ Table 2 presents the total number of financial
institutions already subject to CIP obligations, which represents the
maximum number of potentially affected parties in this category. FinCEN
considers it unlikely that all, or even many, of these 14,575 financial
institutions would either be relied upon by PPSIs for some aspect of
the PPSI's CIP compliance or rely upon PPSIs for some aspect of the
institution's CIP.\139\ FinCEN and the Agencies acknowledge, however,
that this expectation is somewhat
[[Page 37249]]
speculative and are interested in receiving comments on the anticipated
likelihood of this outcome.
---------------------------------------------------------------------------
\138\ See, e.g., 31 CFR 1020.220(a)(6) (analogous CIP provision
applicable to banks).
\139\ Proposed Sec. 1033.220(a)(6)(iii) would require that
``[t]he other financial institution [. . .] certify annually to the
permitted payment stablecoin issuer that it has implemented its AML/
CFT program, and that it will perform (or its agent will perform)
specified requirements of the permitted payment stablecoin issuer's
CIP.'' A bank that is not examined by a Federal functional regulator
(FFR) may rely on another financial institution's CIP where that
institution is overseen by an FFR. However, another financial
institution cannot rely on the CIP of a bank that is not examined by
an FFR. See 31 CFR 1020.220(a)(6)(ii).
Table 2--Estimates of Financial Institution Types With Existing CIP
Requirements
------------------------------------------------------------------------
Number of
Financial institution type \a\ financial
institutions
------------------------------------------------------------------------
Banks with a Federal functional regulator (FFR) \b\..... \c\ 8,623
Banks without an FFR \d\................................ \e\ 365
Broker-Dealers \f\...................................... \g\ 3,278
Mutual Funds \h\........................................ \i\ 1,355
Futures Commission Merchants (FCMs) and Introducing \k\ 954
Brokers in Commodities (IBCs) \j\......................
---------------
Total............................................... 14,575
------------------------------------------------------------------------
\a\ See 31 U.S.C. 5312(a)(2); 31 CFR 1010.100(t) (definition of
financial institution).
\b\ See 31 CFR 1010.100(t)(1); 31 CFR 1010.100(d); 31 CFR 1020.210(a);
31 CFR 1020.220 (CIP requirements for banks).
\c\ This includes 4,336 FDIC-insured depository institutions (i.e.,
Federally regulated banks) according to the FDIC's Quarterly Bank
Profile for Q4 2025, p. 2 (https://www.fdic.gov/quarterly-banking-profile/past-quarterly-banking-profiles). It also includes 4,287 NCUA-
chartered credit unions (i.e., Federally regulated credit unions) as
of December 31, 2025, according to the NCUA's Quarterly Credit Union
Data Summary: 2025 Q4, p. i (https://ncua.gov/analysis/credit-union-corporate-call-report-data/quarterly-data-summary-reports).
\d\ See 31 CFR 1020.210(b); 31 CFR 1020.220 (CIP requirements for
banks).
\e\ The Board of Governors of the Federal Reserve System Master Account
and Services Database (https://www.federalreserve.gov/paymentsystems/master-account-and-services-database-existing-access.htm) contains
data as of November 30, 2025 on financial institutions that use
Federal Reserve Bank financial services, including those with no
additional Federal regulator. FinCEN used this data to identify 365
banks and credit unions with no additional Federal regulator using
Federal Reserve Bank financial services.
\f\ See 31 U.S.C. 5312(a)(2)(G); 31 CFR 1010.100(t)(2); 31 CFR 1023.220
(CIP requirements for broker-dealers).
\g\ This estimate is based on U.S. Securities and Exchange Commission
(SEC) data on active broker-dealers available at ``Company Information
About Active Broker-Dealers'' (https://www.sec.gov/foia-services/frequently-requested-documents/company-information-about-active-broker-dealers dealers), which listed 3,278 active broker-dealers registered with the
SEC as of December 31, 2025.
\h\ See 31 U.S.C. 5312(a)(2)(I); 31 CFR 1010.100(t)(10); 31 CFR 1024.220
(CIP requirements for mutual funds).
\i\ This estimate is based on the number of N-1A registrants in SEC's
Annual Registered Investment Company Update: Form N-CEN Data, Period
Ending December 2024, April 2025, table 1.3, p. 4 (https://www.sec.gov/files/annual-registered-investment-company-update-20250404.pdf).
\j\ See 31 U.S.C. 5312(a)(2)(H); 31 CFR 1010.100(t)(8-9); 31 CFR
1026.220 (CIP requirements for FCMs and IBCs).
\k\ According to Commodity Futures Trading Commission data on FCMs
available at ``Financial Data for FCMs'' (https://www.cftc.gov/MarketReports/financialfcmdata/index.htm), there were 66 registered
FCMs as of December 31, 2025. The number of IBCs as of December 31,
2025 (888) was obtained from the National Futures Association ``NFA
Membership and Registration'' website (https://www.nfa.futures.org/registration-membership/membership-and-directories.html). Because
deduplication of entities registered as both FCMs and IBCs was not
feasible, this estimate may double-count some entities registered in
both categories. FinCEN, however, believes this subpopulation may be
small.
d. Other Affected Parties
Regulators and Compliance Examiners: Examiners required to verify
whether CIP obligations are being followed by PPSIs would be directly
affected by the proposed rule.\140\ In a separate rulemaking, FinCEN is
proposing changes to its existing regulations to effectuate the GENIUS
Act's direction to apply BSA obligations to PPSIs.\141\ FinCEN's PPSI
AML/CFT NPRM includes a proposal to (1) amend 31 CFR 1010.810(b) to
delegate examination authority to the primary Federal payment
stablecoin regulators (the Agencies) and (2) assert that its existing
regulations delegates examination authority to the IRS for the
SQPSIs.\142\ As a function of the proposal in that NPRM, this proposed
rule is expected to directly affect FinCEN as well as the primary
Federal payment stablecoin regulators, i.e., the Agencies, and their
compliance examiners, who number approximately 7,500 from the Agencies,
plus several hundred additional examiners from the IRS.\143\
---------------------------------------------------------------------------
\140\ Certain state regulators may be affected in a way that is
comparable to the effects on Federal regulators. However, given that
the GENIUS Act sets out a federal regulatory framework with certain
tasks for Federal regulators, it is difficult at this time to do
more than speculate about what actions states may take, and
therefore the Agencies did not attempt to estimate the effect of
this rule on state regulatory agencies. However, the Agencies are
interested in receiving comments offering assessments on this
subject.
\141\ See PPSI AML/CFT NPRM, supra note 4.
\142\ Id.
\143\ These figures represent an approximate number of Federal
examiners.
---------------------------------------------------------------------------
Law Enforcement and National Security Agencies: Law enforcement and
national security agencies can directly access and use reports provided
to FinCEN in compliance with the AML/CFT requirements after entering a
memorandum of understanding with FinCEN. As of fiscal year 2024, 432
federal, state, and local law enforcement; regulatory; and national
security agencies had access to BSA reports and BSA Search, and the BSA
Portal had over 12,000 authorized personnel with access.\144\ While CIP
obligations do not include express reporting requirements that would
provide data directly to law enforcement or regulators, they support
overall AML/CFT obligations and are complementary to the direct
benefits of those programs for law enforcement. For instance, effective
CIP practices include retaining standardized records that may support
future law enforcement and national security needs and may improve the
efficacy of certain types of BSA reporting, such as SARs, by providing
PPSIs with additional data on existing or potential customers.
---------------------------------------------------------------------------
\144\ See FinCEN, Financial Crimes Enforcement Network (FinCEN)
Year in Review for Fiscal Year 2024, p. 5, available at https://www.fincen.gov/system/files/2025-08/FinCEN-Infographic-Public-2025-508.pdf. Note that not all users are from external agencies. FinCEN
employees are also among the users with access to the BSA Portal.
---------------------------------------------------------------------------
iii. Current Market Practices
In considering the impact of the proposed rule, FinCEN and the
Agencies considered certain relevant features and CIP practices of
current stablecoin issuers that could meet the proposed definitional
criteria of PPSI.
In defining current practices, it is first important to distinguish
stablecoins in general from the narrower concept of a payment
stablecoin as defined by the GENIUS Act. As discussed earlier,
stablecoins that carry indicators they could be payment stablecoins are
only a subset of the overall market of stablecoins, although they
represent
[[Page 37250]]
over 80 percent of the total market value.\145\ Payment stablecoins
have several features that make CIP compliance more practical for their
issuers. Most importantly, PPSIs are likely to have a centralized
issuance structure in which the issuer is obliged to redeem upon demand
the advertised fixed value for every coin issued. As opposed to
decentralized issuance structures, where users can anonymously mint,
trade, and redeem their own coins on a decentralized blockchain largely
free of any third-party interface, centralized issuance structures
allow a collection point for customer information and transaction
records for primary-market transactions.
---------------------------------------------------------------------------
\145\ Among the approximately 352 stablecoin products evaluated
by FinCEN, those products with indicia of being a potential PPSI or
foreign payment stablecoin issuer payment stablecoin represented
about 63 products, or less than 18 percent of all products examined.
However, the market value of these products represented
approximately 80 percent of the market value of the sample.
---------------------------------------------------------------------------
In order to collect, screen, and store customer information in the
course of business, stablecoin issuers and other financial market
participants often employ software technologies especially suited for
this purpose. These third-party services provide customer identity
information verification and screening to collect and verify personal
information such as name or address, and to identify whether someone
wishing to open an account is on a list of known or suspected
terrorists or terrorist organizations, among other functions. These
activities may be performed in the ordinary course of business but are
also expected to occur because stablecoin issuers have AML/CFT program
obligations as MSBs.\146\
---------------------------------------------------------------------------
\146\ See 31 CFR 1022.210; PPSI AML/CFT NPRM, supra note 4.
---------------------------------------------------------------------------
Many of the stablecoin issuers evaluated by FinCEN tended to retain
the same group of large ``core'' primary market customers year over
year, but exhibited significant turnover among smaller primary market
customer institutions focused on market arbitrage or other short-term
trading opportunities. Turnover rates were particularly high among
issuers whose business models facilitated larger numbers of primary
market customers. Stablecoin issuers such as this may see several
thousand new primary market participants in a given year, indicating
that such issuers are likely to have automated know your customer
functions to facilitate large numbers of new customers. Smaller or more
centralized issuers generally experienced far fewer numbers of new
customers (although retention or growth may be similar from a
percentage standpoint), indicating that processes may be more manual.
Overall, most issuers saw significant growth in their primary market
customer base during 2025, possibly a result of increased adoption
rates and greater regulatory clarity following the passage of the
GENIUS Act.
3. Description of Proposed Requirements
For purposes of the RIA, FinCEN and the Agencies considered the
various components of the proposed rule with a view towards the
specific features or elements that are expected to generate, either
directly or indirectly, an economic benefit or cost or lead to changes
in a market participant's incentives in a way that may generate
economic benefits or costs.\147\ For completeness, this section
presents a brief review of all of the components of the proposed rule
and sorts those not anticipated to have a separable incremental effect
from those foreseeably expected to impose direct economic effects. The
latter are then further discussed in the following subsection
(VIII.A.4). For components of the proposed rule that FinCEN and the
Agencies' analysis has not assigned a quantified burden (in hours or
dollars), the reason for doing so is briefly explained in the
description of expected costs.\148\
---------------------------------------------------------------------------
\147\ See infra section VIII.A.4.
\148\ See infra section VIII.A.4.ii.
---------------------------------------------------------------------------
To balance the completeness of the RIA with the desire for
expositional clarity and ease of tractability between the proposed
regulatory text and sections V (Section-by-Section Analysis) and VIII
(Regulatory Impact Analysis), FinCEN and the Agencies have included
Table 3, to provide a mapping of the various components of the proposed
rulemaking as presented in section V to their analogous categorization
in the RIA.
Table 3--Overview/Mapping of the Proposed Rule
----------------------------------------------------------------------------------------------------------------
Discussed in RIA Proposed regulatory
Elements of the Proposed Rule Section V analysis subsection(s) text location
----------------------------------------------------------------------------------------------------------------
Define ``account'' as a formal V.A.1.................. VIII.A.3.i............. 1033.100(a)(1).
relationship between a customer and a
PPSI established to provide or engage
in services, dealings, or other
financial transactions, including
five non-exclusive examples.
Define ``account'' to exclude: (1) a V.A.1.................. VIII.A.3.i............. 1033.100(a)(2).
product or service where a formal
relationship is not established with
a person; (2) an account the PPSI
acquires through an acquisition,
merger, purchase of assets, or
assumption of liabilities from a
financial institution; (3) an account
opened to participate in an
Employment Retirement Income Security
Act of 1974 employee benefit plan; or
(4) ownership or control of a PPSI's
payment stablecoins alone, without
other indicators of a formal
relationship.
Define ``customer,'' for purposes of V.A.2.................. VIII.A.3.i............. 1033.100(b)(1).
PPSI CIP requirements, to include (1)
a person that opens a new account and
(2) any individual who opens a new
account for either: (a) an individual
who lacks legal capacity or (b) an
entity that is not a legal person.
[[Page 37251]]
Define ``customer,'' for purposes of V.A.2.................. VIII.A.3.i............. 1033.100(b)(2).
PPSI CIP requirements, to exclude:
(1) a financial institution with an
FFR or a bank regulated by a State
bank regulator, (2) a defined exempt
person as described in 31 CFR
1020.315(b)(2)-(4), (3) a known PPSI
customer with an existing account,
and (4) a person acquiring/redeeming
a payment stablecoin from a means
other than directly to/from the PPSI.
Define ``digital asset service V.A.3.................. VIII.A.3.i............. 1033.100(c)(1).
provider,'' for purposes of PPSI CIP
requirements, to include certain
defined persons engaged in select
businesses.
Incorporate ``person'' as defined by V.A.3.................. VIII.A.3.i............. 1033.100(c)(1)(i).
the GENIUS Act within the PPSI-CIP
framework to adopt the meaning set
forth in 12 U.S.C. 5901(24) when
defining a ``digital asset service
provider.''.
Incorporate ``monetary value'' as V.A.3.................. VIII.A.3.i............. 1033.100(c)(1)(i)(A).
defined by the GENIUS Act to clarify
its meaning within the definition of
``digital asset service provider'' as
set forth in 12 U.S.C. 5901(7).
Define ``digital asset service V.A.3.................. VIII.A.3.i............. 1033.100(c)(2).
provider,'' for purpose of PPSI CIP
requirements, to exclude: (1)
distributed ledger protocols; (2)
developing, operating, or engaging in
the business of developing
distributed ledger protocols or self-
custodial software interfaces; (3)
immutable and self-custodial software
interfaces, (4) developing,
operating, or engaging in the
business of validating transactions
or operating a distributed ledger, or
(5) participating in a liquidity pool
or similar mechanism.
Introduce a definition of V.A.3.................. VIII.A.3.i............. 1033.100(c)(3).
``distributed ledger protocol'' to
clarify its meaning within the
definition of ``digital asset service
provider'' as set forth in 12 U.S.C.
5901(9).
Require a PPSI to establish and V.B.1.................. VIII.A.3.ii, 1033.220(a)(1).
maintain a written CIP appropriate VIII.A.4.i,
for its size and business that is VIII.A.4.ii.a, VIII.E..
part of the PPSI's AML/CFT Program.
Require a PPSI's CIP to include risk- V.B.2.................. VIII.A.3.ii, 1033.220(a)(2).
based identity verification VIII.A.4.i,
procedures, including procedures for VIII.A.4.ii.a, VIII.E.
opening an account that specify the
identifying information that would be
obtained with respect to each
customer.
Require that a PPSI's CIP contain V.B.2.i................ VIII.A.3.ii, 1033.220(a)(2)(i).
procedures for opening an account VIII.A.4.i,
that specify the identifying VIII.A.4.ii.a, VIII.E.
information that would be obtained
prior to account opening with respect
to each customer, including, at
minimum: (1) name, (2) date of birth/
formation, (3) address, and (4)
identification number, subject to
certain exceptions.
Require a PPSI's CIP to contain V.B.2.ii............... VIII.A.3.ii, 1033.220(a)(2)(ii).
procedures for verifying the identity VIII.A.4.i,
of each customer within a reasonable VIII.A.4.ii.a, VII.E.
period of time before or after the
customer's account is opened, using
information obtained in accordance
with its customer identification
procedures that describe when the
PPSI would use documents, non-
documentary methods, or a combination
of both methods.
Require that if the PPSI is relying on V.B.2.ii.a............. VIII.A.3.ii, 1033.220(a)(2)(ii)(A).
documents to verify a customer's VIII.A.4.i,
identity, the CIP must contain VIII.A.4.ii.a, VIII.E.
procedures that set forth the
documents the PPSI would use.
Provide non-exclusive lists of V.B.2.ii.a............. VIII.A.3.ii............ 1033.220(a)(2)(ii)(A)(
examples of documents a PPSI may use 1) &
to verify the identity of customers 220(a)(2)(ii)(A)(2).
that are (1) natural persons/
individuals or (2) other persons.
Require that if a PPSI would employ V.B.2.ii.b............. VIII.A.3.ii, 1033.220(a)(2)(ii)(B).
non-documentary methods to verify the VIII.A.4.i,
identity of a customer, its CIP must VIII.A.4.ii.a, VIII.E.
contain procedures that set forth the
non-documentary methods the PPSI
would use.
Provide a non-exclusive list of V.B.2.ii.b............. VIII.A.3.ii............ 1033.220(a)(2)(ii)(B)(
examples of non-documentary methods a 1).
PPSI may use to verify customer
identity.
[[Page 37252]]
Require that a PPSI's non-documentary V.B.2.ii.b............. VIII.A.3.ii, 1033.220(a)(2)(ii)(B)(
procedures must address situations VIII.A.4.i, 2).
where: (1) the customer (a) is an VIII.A.4.ii.a, VIII.E.
individual unable to present an
unexpired government-issued
identification document bearing a
photograph or similar safeguard or
(b) opens the account without meeting
in person; or (2) the PPSI (a) is
unfamiliar with the documents
presented, (b) opens an account
without obtaining documents, or (c)
is otherwise presented with
circumstances that increase the risk
that it will be unable to verify the
true identity of a customer through
documents.
Require that the PPSI's CIP address V.B.2.ii.c............. VIII.A.3.ii, 1033.220(a)(2)(ii)(C).
situations where, based on the PPSI's VIII.A.4.i,
risk assessment of the new account of VIII.A.4.ii.a, VIII.E.
a customer that is not an individual,
the PPSI determines it cannot verify
the customer's true identity using
either the its CIP's established
documentary and non-documentary
verification methods, the PPSI will
obtain information about individuals
with authority or control over such
account in order to verify the
customer's identity.
Require a PPSI CIP include procedures V.B.2.iii.............. VIII.A.3.ii, 1033.220(a)(2)(iii).
for when it cannot form a reasonable VIII.A.4.i,
belief that it knows the true VIII.A.4.ii.a, VIII.E.
identity of a customer that describe:
(1) when the PPSI should not open an
account, (2) the terms under which a
customer may use an account while the
PPSI attempts to verify the
customer's identity, (3) when the
PPSI should close an account after
attempts to verify a customer's
identity fail, and (4) when the PPSI
should file a SAR in accordance with
applicable law and regulation.
Require the PPSI's CIP include V.B.3.................. VIII.A.3.ii, 1033.220(a)(3)(i).
procedures for making and maintaining VIII.A.4.i,
a record of all information obtained VIII.A.4.ii.a, VIII.E.
under procedures implementing its
program, including at minimum: (1)
all identifying information about a
customer obtained prior to account
opening, (2) a description of any
document that was relied on to verify
a customer's identity, (3) a
description of the methods and
results of any measures undertaken to
verify the identity of a customer (a)
via the PPSI CIP's non-documentary
methods or (b) by obtaining
information about individuals with
authority or control over the account
of a customer that is not an
individual, and (4) a description of
the resolution of each substantive
discrepancy discovered when verifying
the identifying information obtained.
Require the PPSI to retain the records V.B.3.................. VIII.A.3.ii, 1033.220(a)(3)(ii).
made using the CIP-specified customer VIII.A.4.i,
identification information obtained VIII.A.4.ii.a, VIII.E.
before the opening of an account for
five years after the date the account
is closed.
Require the PPSI to retain the records V.B.3.................. VIII.A.3.ii, 1033.220(a)(3)(ii).
made using CIP-specified methods to VIII.A.4.i,
verify customer identity via: (1) VIII.A.4.ii.a, VIII.E.
documentary and non-documentary
methods; (2) obtaining information
about individuals with authority or
control over and account, as
applicable; (3) resolving substantive
discrepancies discovered when
verifying customer identification
information for five years after the
record is made.
Require the PPSI's CIP include V.B.4.................. VIII.A.3.ii, 1033.220(a)(4).
reasonable procedures to: (1) VIII.A.4.i,
determine within a reasonable period VIII.A.4.ii.a, VIII.E.
of time after the account is opened,
or earlier if required by another
Federal law or regulation or Federal
directive issued in connection with
the applicable list, whether a
customer appears on any list of known
or suspected terrorists or terrorist
organizations issued by any Federal
Government agency and designated as
such by Treasury in consultation with
the primary Federal payment
stablecoin regulators; and (2) follow
all Federal directives issued in
connection with such lists.
Require the PPSI's CIP include V.B.5.................. VIII.A.3.ii, 1033.220(a)(5)(i).
procedures for providing customers VIII.A.4.i,
with adequate notice that the PPSI is VIII.A.4.ii.a, VIII.E.
requesting information to verify
their identities.
[[Page 37253]]
Provide that customer notice would be V.B.5.................. VIII.A.3.ii............ 1033.220(a)(5)(ii).
considered adequate if the PPSI
generally describes the CIP rule's
identification requirements and is
provided in a manner reasonably
designed to ensure that a prospective
customer is able to view the notice,
or is otherwise given notice, before
opening an account, such as by: (1)
the PPSI posting a notice on its
website, (2) including the notice in
its account applications, or (3) any
other form of oral or written notice,
depending upon the manner in which
the account is opened.
Provide sample language a PPSI may use V.B.5.................. VIII.A.3.ii............ 1033.220(a)(5)(iii).
to provide notice to its customer, as
appropriate.
Allow for a PPSI's CIP to include V.B.6.................. VIII.A.3.ii, 1033.220(a)(6).
procedures specifying when the PPSI VIII.A.4.i,
will rely on the performance by VIII.A.4.ii.a, VIII.E.
another financial institution
(including an affiliate) of any
procedures of the PPSI's CIP, with
respect to any customer of the PPSI
that is opening, or has opened, an
account or has established an account
or similar business relationship with
the other financial institution to
provide or engage in services,
dealings, or other financial
transactions, provided that: (1) the
reliance is reasonable under the
circumstances; (2) the other
financial institution: (a) is subject
to a rule implementing 31 U.S.C.
5318(h) or 12 U.S.C. 5903(a)(5)(A)
and is regulated by an FFR; and (b)
enters into a contract with the PPSI
requiring it to certify annually to
the PPSI that it has implemented its
AML/CFT program, and that it will
perform (or its agent will perform)
specified requirements of the PPSI's
CIP.
Permit that, having considered whether V.C.................... VIII.A.3.i, 1033.220(b).
the exemption is consistent with the VIII.A.4.ii.a,
purposes of the BSA and with safety VIII.A.4.ii.c.
and soundness, in the public
interest, and any other necessary and
appropriate factors, the appropriate
FFR, with the concurrence of the
Secretary, may, by order or
regulation, exempt any PPSI or any
type of account from the requirements
of this section, and the Secretary,
with the concurrence of the FFR, may
exempt any PPSI or any type of
account from the requirements of this
section.
Clarify that nothing in the rule V.D.................... VIII.A.3.i............. 1033.220(c).
relieves a PPSI of its obligation to
comply with any other provision of 31
CFR chapter X, including provisions
concerning information that must be
obtained, verified, or maintained in
connection with any account or
transaction, or its obligations with
respect to complying with the terms
of any lawful order as set forth in
chapter X.
----------------------------------------------------------------------------------------------------------------
i. New Definitions
As discussed in greater detail in section V.A, FinCEN and the
Agencies propose adding three new terms ``account,'' ``customer,'' and
``digital asset service provider'' to the proposed new PPSI part of its
regulations, 31 CFR 1033.100.\149\ The definitions are proposed for
purposes of this CIP and would only apply to the CIP obligation unless
otherwise expressly noted.\150\
---------------------------------------------------------------------------
\149\ This proposal's definitions are in addition to other terms
defined in the GENIUS Act and proposed to be codified by FinCEN as
part of the PPSI AML/CFT NPRM, most notably, ``digital asset,''
``payment stablecoin,'' and ``permitted payment stablecoin issuer.''
See PPSI AML/CFT NPRM, supra note 4.
\150\ As noted in the PPSI AML/CFT NPRM, supra note 4, for
example, the term ``account'' is used in various FinCEN regulations
and in the GENIUS Act, but the definition of account in this
proposed CIP rule generally only applies to CIP requirements set out
in this proposed rule. Compare 31 CFR 1010.230(c) (referencing in
beneficial ownership requirement the CIP definitions of ``account'')
with 1010.605(c)(2) (defining ``account'' for purposes of special
due diligence obligations without reference to the CIP definitions
of ``account''). As discussed in the PPSI AML/CFT NPRM, the GENIUS
Act directs that PPSIs have the technological capability to comply
and comply with the terms of lawful orders. See 12 U.S.C.
5903(a)(6)(B). Lawful order is defined, in part, by using the word
``account.'' See 12 U.S.C. 5901(16)(B). FinCEN is not intending,
however, to apply the proposed CIP definition of account to the word
``account'' with respect to this obligation.
---------------------------------------------------------------------------
ii. New Requirements
As discussed in section V above, FinCEN and the Agencies are
jointly proposing a rule to implement the GENIUS Act's directive that
PPSIs maintain an effective CIP.
The proposed rule would require that a PPSI's CIP include risk-
based procedures for verifying the identity of each customer to the
extent reasonable and practicable. The procedures must enable the PPSI
to form a reasonable belief that it knows the identity of each
customer. The procedures must be based on the PPSI's assessment of the
relevant risks, including those presented by the various types of
accounts maintained by the PPSI, the various methods of opening
accounts provided by the PPSI, the various types of identifying
information available, and the PPSI's size, location, and customer
base.
The proposed rule would require a PPSI to obtain the following
information prior to opening an account: (1) name; (2) date of birth,
for an individual; or
[[Page 37254]]
date of formation, for a person that is not an individual; (3) address
(a residential and mailing address for individuals, or principal place
of business, local office, or other physical address and mailing
address for a person other than an individual); and (4) an
identification number.
The proposed rule would require that the CIP contain procedures for
verifying the identity of each new customer, using information obtained
from the customer, within a reasonable period of time after the
customer's account is opened. The procedures must describe when the
PPSI would use documents, non-documentary methods, or a combination of
both methods.
The proposed rule states that if the PPSI is relying on documents,
then the CIP must contain procedures that set forth the documents that
the PPSI would use. For an individual, the PPSI could use an unexpired
government-issued identification evidencing nationality or residence
that contains a photograph or similar safeguard, such as a driver's
license or passport. For a person other than an individual, such as a
corporation, partnership, or trust, the document must show the
existence of the entity, such as certified articles of incorporation, a
government-issued business license, a partnership agreement, or a trust
instrument.
For a PPSI relying on non-documentary methods, the CIP must contain
procedures that set forth the non-documentary methods the PPSI would
use. These methods may include, but are not limited to, contacting a
customer; independently verifying the customer's identity through the
comparison of information provided with respect to the customer with
information obtained from a consumer reporting agency, public database,
or other source; checking references with other financial institutions;
or obtaining a financial statement.
FinCEN and the Agencies believe that while the majority of
customers may be verified through documentary and non-documentary
methods, there may be instances where this is not possible. The risk
that the PPSI would not know the customer's true identity may be
heightened for certain types of accounts, such as an account opened in
the name of a corporation, partnership, or trust that is created or
conducts substantial business in a jurisdiction that has been
designated by the United States as a primary money laundering concern
or has been designated as non-cooperative by an international body.
The proposed rule states that the PPSI's CIP would be required to
include procedures for responding to circumstances in which the PPSI
cannot form a reasonable belief that it knows the true identity of a
customer. These procedures should describe: (1) when the PPSI should
not open an account; (2) the terms under which a customer may use an
account while the PPSI attempts to verify the customer's identity; (3)
when the PPSI should close an account after attempts to verify a
customer's identity fail; and (4) when the PPSI should file a SAR in
accordance with applicable law and regulation.
The proposed rule states that the CIP must include procedures for
making and maintaining a record of all information obtained under
procedures implementing the CIP. This is consistent with the
requirement of 31 U.S.C. 5318(l)(2)(B) that CIPs include procedures for
maintaining records of the information used to verify a person's
identity, including name, address, and other identifying information.
At a minimum, proposed Sec. 1033.220(a)(3)(i) requires that the record
must include: (1) all identifying information about a customer obtained
under the CIP; (2) a description of any document relied on to verify
the identity of the customer under the CIP, noting the type of
document, any identification number contained in the document, the
place of issuance, and if any, the date of issuance and expiration
date; (3) a description of the methods and results of any measures
undertaken to verify the identity of a customer; and (4) a description
of the resolution of each substantive discrepancy discovered when
verifying the identifying information obtained.
Additionally, the proposed rule states that a PPSI must retain the
identifying information about a customer obtained under Sec.
1033.2210(a)(3)(i)(A) of the proposed rule for five years after the
date the account is closed, and the information regarding the
verification of a customer's identity records collected under
paragraphs (a)(3)(i)(B), (C), and (D) of this section for five years
after the record is made.
Consistent with 31 U.S.C. 5318(l)(2)(C), the proposed rule outlines
that the CIP would be required to include reasonable procedures for
determining whether a customer appears on any list of known or
suspected terrorists or terrorist organizations issued by any Federal
government agency and designated as such by Treasury in consultation
with the Federal functional regulators. The procedures must require the
PPSI to make such a determination within a reasonable period of time
after the account is opened, or earlier if required by another Federal
law or regulation or Federal directive issued in connection with the
applicable list. The procedures must also require the PPSI to follow
all Federal directives issued in connection with such lists.
Lastly, the proposed rule states that the CIP would be required to
include procedures for providing customers with adequate notice that
the PPSI is requesting information to verify their identities. The
proposed rule considers notice adequate if the PPSI generally describes
the identification requirements of this section and provides such
notice in a manner reasonably designed to ensure that a prospective
customer is able to view the notice, or is otherwise given notice,
before opening an account. For example, depending upon the manner in
which the account is opened, a PPSI may post a notice on its website,
include the notice in its account applications, or use any other form
of oral or written notice. The proposed rule provides a sample notice.
4. Anticipated Economic Effects
This section provides FinCEN's and the Agencies analysis of the
expected costs and benefits of the proposed rule as attributed to the
elements of the regulation with foreseeable incremental effects. While
not all costs and benefits are readily quantifiable, in this analysis
FinCEN and the Agencies have sought to include an evaluation of certain
foreseeable non-quantified economic benefits in addition to quantified
costs to more comprehensively assess the potential net benefit of the
proposed rule and select alternatives.
i. Expected Benefits
The proposed rule aims to clarify and standardize CIP requirements
across all issuers of payment stablecoin that apply and are granted
registration as PPSIs. This standardized obligation across all types of
PPSIs would also harmonize the CIP obligations for payment stablecoin
issuers with those applicable to other types of covered financial
institutions, including banks. By standardizing CIP requirements for
PPSIs, the potential for PPSIs to exploit opportunities to engage in
regulatory arbitrage may be reduced. As discussed in section VIII.A.1,
the expected economic benefits of the proposed rulemaking hinge on its
ability to reduce the potential exploitation of this arbitrage as well
as reducing the inefficiencies that the positive externalities of
effective customer identification practices and the negative
externalities generated by insufficient customer identification and
[[Page 37255]]
recordkeeping engender. A more even regulatory playing field might also
remove the risk of potential inefficient overinvestment or socially
costly underinvestment in the level of customer identification that
could otherwise be attributable to regulatory uncertainty. Moreover,
such standardization avoids the creation of regulatory gaps that
criminals can exploit.
While these anticipated benefits are more difficult to quantify
than the costs, the proposed rule is nonetheless expected to generate
value insofar as risk-based, effective CIPs can contribute to the
detection and deterrence of money laundering and terrorist financing
and support broader BSA policy goals. A PPSI's efforts to obtain and
verify the identity of account holders or respond to circumstances in
which the PPSI cannot form a reasonable belief that it knows the true
identity of a customer would help reduce the ability of money
launderers, criminals, and other illicit finance actors to access U.S.
financial markets through PPSIs. Maintaining records would enhance
PPSI's internal compliance efforts and aid PPSI and enforcement
personnel in detecting and taking measures to prevent potential illicit
finance activity. Establishing a CIP with these elements would help
PPSIs systematize, and in some cases automate, practices that
facilitate the detection of attempted financial crimes and ensure that
PPSIs have effective practices for identifying and verifying the
identities of their customers and prospective customers. Insulating
this financial market from abuse by bad actors of potentially
significant social and monetary value is essential to its growth and
longevity and protects the integrity of the broader U.S. financial
system.
ii. Expected Costs
This section assesses the foreseeable costs to the respective
parties expected to be incrementally economically impacted by the
proposed rule.\151\ This section is organized as follows. First, it
estimates select cost profiles likely to be incurred by PPSIs,
including both start-up costs and recurring administrative and
maintenance costs based on relevant cost information associated with
each identified category of required compliance activity. The
discussion of expected costs then describes potential costs to PPSI
customers and concludes with an estimate of government implementation
costs for oversight and enforcement.
---------------------------------------------------------------------------
\151\ Hourly burden figures presented for cost estimates in this
section are rounded to the nearest hundredth of an hour for
presentation purposes. Total burden figures are produced using
unrounded figures for accuracy.
---------------------------------------------------------------------------
The sum of the proposed rule's expected incremental quantified
costs (unadjusted) over a multi-year time horizon are presented in
Table 4.\152\ This includes expected costs to a static population of 50
PPSIs of approximately $284,000 in the first year, and an average of
approximately $239,000 in each year thereafter; \153\ expected costs to
an anticipated PPSI customer base that increases by 65 percent year
over year of approximately $1.0 million annually in the first year, and
approximately the same amount each year thereafter; \154\ and expected
costs to the government of approximately $982,000 in the period leading
up to the first effective year of the final rule, approximately $1.3
million in the first effective year, and approximately $913,000 per
year thereafter. In total, the quantified economic costs of the
proposed rule would amount to an average burden of approximately $2.3
million per year once a final rule became effective. FinCEN and the
Agencies invite comment on whether the analysis of the average costs
for each component of the CIP as outlined in section VIII.A.4.ii.a is
an accurate reflection of the cost faced by issuers of products that
may be considered payment stablecoins. In addition, FinCEN and the
Agencies request comment on whether there are any additional cost
categories that FinCEN and the Agencies have failed to consider.
---------------------------------------------------------------------------
\152\ The corresponding net present value (NPV) of the aggregate
costs displayed in Table 4 are $5.8 million ($6.6 million) using a
seven percent (three percent) discount rate, or an average
annualized aggregate cost of $2.2 million ($2.3 million) in each of
the first three years in which a final rule would be effective. Of
these costs, the NPV of costs that would be borne by PPSIs is
estimated over the same three-year time horizon to be $688,399
($718,797) using a 7 percent (3 percent) discount rate,
respectively. This equates to annualized costs of $254,695
($254,117) using the same discount rates, or $5,094 ($5,082) per
year per PPSI on average.
\153\ Note, the incremental costs presented in this subsection
differ in several aspects from the PRA recordkeeping and reporting
costs presented below (see infra section VIII.E). The cost totals
presented here reflect the estimated incremental costs that would
result from this proposed rule, while the costs presented in section
VIII.E analysis include pro forma accounting of all costs associated
with the PRA recordkeeping and reporting activities required by the
proposed rule, even if such activities are already being conducted
by the respondents.
\154\ As described in infra section VIII.A.4.ii.b, these costs
are essentially identical to those incurred as a result of general
AML/CFT program requirements. Therefore, these costs should not be
considered as being in addition to the customer costs contemplated
in FinCEN's accompanying rulemaking on general AML/CFT program
requirements for PPSIs. See PPSI AML/CFT NPRM, at section XII.4.ii,
supra note 4.
Table 4--Quantified Incremental Costs of the Proposed Rule by Year
----------------------------------------------------------------------------------------------------------------
Affected party Year (-1) Year 1 Year 2 Year 3 3-Year average
----------------------------------------------------------------------------------------------------------------
PPSIs........................... .............. $283,572 $238,723 $238,723 $253,673
New PPSI Customers.............. .............. 1,025,400 1,025,400 1,025,400 1,025,400
Government...................... 981,698 1,347,789 912,634 912,634 1,057,686
Annual Incremental Costs........ 981,698 2,656,761 2,176,757 2,176,757 2,336,758
----------------------------------------------------------------------------------------------------------------
a. PPSIs
1. Establishing and Maintaining a Written CIP
The proposed rule would require a PPSI to establish and maintain a
CIP aligned with, and integrated into, its broader risk-based and
reasonably designed AML/CFT program. As described in section VIII.3.ii,
a PPSI must also use this approach to establish and maintain a well-
designed, written CIP that establishes and maintains the operational
framework for executing effective identity verification.
If an entity that becomes a PPSI does not already have a CIP that
is consistent with the proposed rule's requirements, that prospective
PPSI would have to newly establish or else modify its existing customer
identification practices. Creating or modifying the policies and
procedures detailed in the CIP would entail costs for these entities.
Such entities may incur costs both while implementing new or modified
policies and procedures, as well as when newly programming, or
modifying existing programming of, their automated systems and testing
those
[[Page 37256]]
systems. These costs are expected to be significantly lower for PPSIs
that are subsidiaries of insured depository institutions, which are
currently required to have established procedures in place for
obtaining identifying information of customers in compliance with BSA
requirements.\155\ By contrast, other PPSIs are less likely to have
policies and procedures in place that meet the minimum requirements in
the rule, and are therefore expected to face higher up-front CIP
implementation costs.
---------------------------------------------------------------------------
\155\ 31 CFR 1020.220.
---------------------------------------------------------------------------
These design, implementation, documentation, and maintenance costs
are distinct from similar costs to establish and maintain the PPSI's
overall AML/CFT program but would generally be expected to be guided by
the same principles of risk-based, allocatively efficient construction.
As such, CIP implementation costs are expected to vary not just by
whether a PPSI is affiliated with or is an institution with a CIP
obligation, but also by the nature of the types of accounts the PPSI
maintains, the methods it provides to open an account, the types of
identifying information available from customers, and the PPSI's own
unique size, location, and customer base. However, to simplify the
remainder of the analysis, FinCEN and the Agencies distinguish
primarily between PPSIs affiliated with a insured depository
institution or ``IDI'' (referred to for simplicity as ``IDI-subsidiary
PPSIs'') and PPSIs that are not affiliated with a subsidiary of an
insured depository institution (referred to for simplicity as ``non-IDI
subsidiary PPSIs'') in developing compliance-related expected cost
profiles. FinCEN and the Agencies request comment on the share of PPSIs
that would likely already have CIPs established and would therefore not
incur the full costs associated with establishing and maintaining a
CIP.
The average burden, measured in time, for a non-IDI subsidiary PPSI
to establish and maintain a written CIP that encompasses all the
regulatory elements as grouped and described in section VIII.A.3 above
is expected to range between approximately 20 to 30 hours per firm (an
average of 25 hours per firm). For IDI-subsidiary PPSIs, these
activities are expected to require about ten to 15 hours per firm (with
an average of approximately 12 hours per firm) in the first year,
depending on each institution's existing digital infrastructure. For
both PPSI types, FinCEN estimates annually, on average, this activity
would take approximately ten hours in subsequent years.
CIP establishment and maintenance activities would therefore be
expected to result in an incremental cost of approximately $3,115 per
non-IDI subsidiary PPSI, $1,495 per IDI-subsidiary PPSI,\156\ and a
total collective cost of approximately $107,139 in the first year after
the proposed rule is finalized.\157\ In each subsequent year, ongoing
establishment and maintenance is expected to result in an average cost
of approximately $1,246 per PPSI, and a total average annual cost of
approximately $62,290 for 50 PPSIs.\158\
---------------------------------------------------------------------------
\156\ FinCEN notes that because, in its approach to calculating
expected costs, different costs apply to PPSIs of various (1) types
(e.g., whether a PPSI is a subsidiary of an insured depository
institution or not) and (2) sizes, average values may not
meaningfully represent the economic cost that any single, particular
PPSI may expect to incur.
\157\ Throughout this analysis, FinCEN and the Agencies apply an
hourly wage rate that is a general composite hourly wage rate
($87.61) scaled by a private sector benefits factor of 1.42 ($124.58
= $87.61 x 1.42). This incorporates Bureau of Labor Statistics (BLS)
mean wage data associated with six occupational codes (11-1010:
Chief Executives; 11-3021: Computer and Information Systems
Managers; 11-3031: Financial Managers; 13-1041: Compliance Officers;
23-1010: Lawyers and Judicial Law Clerks; 43-3099: Financial Clerks,
All Other) for each of the nine groupings of NAICS industry codes
that FinCEN and the Agencies determined are most directly comparable
to its 11 categories of potentially affected financial institutions
as delineated in 31 CFR parts 1020 to 1030. See BLS, May 2024--
National industry-specific and by ownership, available at https://www.bls.gov/oes/tables.htm. Given that many occupations provide
benefits beyond wages (e.g., insurance and paid leave), FinCEN and
the Agencies apply the private sector benefit factor to the unloaded
wage rate to reflect the total cost to the employer. The benefit
factor is the ratio of total compensation (which includes wages and
benefits) to wages. Total compensation = 43.94 and Wages and
salaries = 30.90 (1.42 = 43.94 / 30.90) as of June 2024, based on
the private industry workers series data downloaded from BLS. BLS,
Employer Costs for Employee Compensation data, available at https://www.bls.gov/news.release/archives/ecec_09102024.pdf.
\158\ See Tables 9 and 10, infra section VIII.E.3.
---------------------------------------------------------------------------
2. Obtaining and Verifying Customer Identification Information
The proposed rule would require a PPSI's CIP to include the
collection of certain information prior to opening a new account. This
information would include, at a minimum, the name, date of birth,
address, and identification number of each customer opening new
accounts. Centralized stablecoin issuers already obtain identifying
information from customers, such as their names and addresses, since
most issuers need to uniquely identify each of their customers
operationally and these particular forms of personally identifiable
information are common ways of doing so. Therefore, the associated
incremental cost of compliance with the requirement is expected to be
relatively small for all PPSIs.
Despite this, some new costs for PPSIs can be anticipated because
some may not be obtaining all the information required by the proposed
rule or doing so consistently. These issuers would face additional
costs in collecting this information and updating their account opening
applications to insert procedures requesting that customers provide the
required information.
The proposed rule would further require a PPSI's CIP to include
procedures to verify the identity of each customer and would provide
issuers with multiple possible methods to do so, which would mitigate
the costs of such activities.\159\ For example, depending on the
procedures implemented--including through documentary or non-
documentary methods, as provided by the rule--and based on the issuer's
assessment of the relevant risks, customers that open accounts with an
issuer may simply provide a copy of documents showing its existence as
a legal entity. Alternatively, issuers may, for example, obtain a
financial statement from the customer or compare the information
provided by the customer with information obtained from a consumer
reporting agency or public database.
---------------------------------------------------------------------------
\159\ See proposed Sec. 1033.220(a)(2)(ii).
---------------------------------------------------------------------------
The documentary and non-documentary verification methods set forth
in the proposed rule to verify the identities of customers are not
meant to be an exclusive list of the appropriate means of verification.
Other reasonable methods may be available now or in the future. The
purpose of making the rule flexible in this regard is to allow payment
stablecoin issuers to select verification methods that are reasonable
and practicable. Methods that are appropriate for an issuer with a
small, familiar customer base may not be sufficient for an issuer with
more customers from many different geographic regions. The proposed
rule recognizes this fact and, therefore, allows an issuer to employ
such verification methods as would be suitable to form a reasonable
belief that it knows the true identities of its customers.
FinCEN and the Agencies recognize that obtaining and verifying the
identity of each customer would result in incremental costs for many
PPSIs if these firms currently do not use verification methods or do
not verify identities in a way that is consistent with the proposed
rule's requirements.
[[Page 37257]]
FinCEN and the Agencies also note that this requirement for customer
identification information collection and verification, which is
applied to all customers equally, is distinct from the requirements to
conduct customer due diligence as required in the accompanying proposed
rule on AML/CFT program requirements for PPSIs. Unlike generalized CIP
collection and verification, that due diligence requires prioritized,
risk-based screening based on factors identified by the PPSI.
As discussed earlier, FinCEN estimates that the ``average'' PPSI
would have approximately 1,000 legal entity clients that it interacts
with directly.\160\ The proposed requirements do not require PPSIs to
collect information on existing customers,\161\ and therefore FinCEN
only estimate incremental costs for collecting information on new
customers. As described earlier, FinCEN and the Agencies used public
data on on-chain minting and redemption activity to examine annual
rates of customer growth and turnover, and estimate that the average
new customer rate is 65 percent of the number of existing customers.
Therefore, FinCEN expects the average PPSI to collect information on
approximately 650 new customers per year.
---------------------------------------------------------------------------
\160\ See supra section VIII.A.2.b.
\161\ Under the proposed rule, PPSIs would not be required to
collect information from existing customers unless there is reason
to believe the issuer does not know the true identity of a customer,
a scenario that FinCEN anticipates would be uncommon. FinCEN
requests comment on whether it is reasonable to assume that all
PPSIs would have reason to believe they know the true identity of
their customers.
---------------------------------------------------------------------------
Due to the wide range of models employed by issuers, FinCEN and the
Agencies acknowledge a range of costs for customer information
collection and verification. However, nearly all stablecoin issuers
already collect significant customer information on primary market
customers in the ordinary course of business. Nevertheless, the
customer information collection requirements in this proposal may still
entail a relatively small incremental burden on a per-customer basis
for non-IDI subsidiary PPSIs, which may be inherently less familiar
with CIP information collection requirements than banks. Nearly all
primary market customers interfacing with stablecoin issuers directly
are legal entities, and FinCEN estimates that non-IDI subsidiary PPSIs
would require an average of three minutes collect any additional
required information from each customer. For IDI-subsidiary PPSIs, more
streamlined incremental information collection processes associated
with the existing CIP program of the parent company can be anticipated.
For this reason, FinCEN estimates an average time to correspond with
each customer and collect the required information of two minutes. For
small PPSIs, FinCEN and the Agencies conservatively assume it would
take three minutes per PPSI to collect information from each customer.
In summary, FinCEN expects that the collection of customer
information to comply with the proposed rule would cost approximately
$4,049 per non-IDI subsidiary PPSI, or a total of $80,977 annually. For
IDI-subsidiary PPSIs, FinCEN and the Agencies expect a per-firm cost of
approximately $2,699, which results in approximately $80,977 annually
for all firms of this type.\162\ Table 5 below provides a comparative
summary of these costs for each PPSI type.
---------------------------------------------------------------------------
\162\ See also Tables 9 and 10, infra section VIII.E.3.
Table 5--Estimated Annual Incremental Cost Associated With Obtaining and Verifying Customer Identification
Information by PPSI Type
----------------------------------------------------------------------------------------------------------------
Number of Total burden
PPSI type Hours per PPSI Cost per PPSI PPSIs hours Total cost
----------------------------------------------------------------------------------------------------------------
Non-IDI Subsidiary PPSIs........ 32.5 $4,049 20 650 $80,977
IDI-Subsidiary PPSIs............ 21.7 2,699 30 650 80,977
----------------------------------------------------------------------------------------------------------------
3. Recordkeeping
The proposed rule requires certain records to be retained for a
five-year period following the creation of the record \163\ and others
to be retained for five years following an account closure.\164\ While
FinCEN and the Agencies generally expect PPSIs to utilize the same
technological infrastructure to securely store CIP-specific records as
they would all other business/operation-related data, it is
nevertheless foreseeable that some incremental costs might accrue. To
allow for this, FinCEN includes a PRA recordkeeping cost for non-labor,
technology costs that include an annual $100 baseline storage cost for
each PPSI and a per-record cost of $0.10 associated with storing
customer records.\165\ Based on an estimate of 650 new customers per
PPSI per year, the corresponding incremental storage cost would be $165
per PPSI per year, or an aggregate total of $8,250 annually for a
population of 50 PPSIs.
---------------------------------------------------------------------------
\163\ These records pertain to the methods and information used
to verify customer identification information and are described in
proposed Sec. 1033.220(a)(3)(i)(B), (C), and (D). For the
recordkeeping requirement, see proposed Sec. 1033.220(a)(3)(ii).
\164\ These records include the customer identification
information required before an account is opened as described in
proposed Sec. 1033.220(a)(3)(i)(A). For the recordkeeping
requirement, see proposed Sec. 1033.220(a)(3)(ii).
\165\ See infra section VIII.E.2.iii.
---------------------------------------------------------------------------
4. Comparing Customers With Government Lists
The proposed rule would require a PPSI's CIP to include reasonable
procedures for determining whether a customer appears on any list of
known or suspected terrorists or terrorist organizations issued by any
Federal government agency and designated as such by Treasury in
consultation with the Federal payment stablecoin regulators. Such a
list has not yet been issued.
Nevertheless, similar list-checking activities should already be
industry practice by stablecoin issuers and other financial
institutions that are U.S. persons because an obligation already exists
for such U.S. persons to check their customers against the Specially
Designated Nationals (SDN) List administered by OFAC. While the burden
associated with this evaluation of customers against the SDN List is
also considered as part of the separate proposed rule to impose AML/CFT
program and sanctions compliance program requirements on PPSIs,\166\
failure to comply with current obligations, such as by engaging in
appropriate customer screening, could result in criminal or civil
penalties for a stablecoin issuer.
---------------------------------------------------------------------------
\166\ See PPSI AML/CFT NPRM, supra note 4.
---------------------------------------------------------------------------
Since a list as described in proposed Sec. 1033.220(a)(4) has not
yet been issued, and to a certain extent the prospective requirement to
compare customers
[[Page 37258]]
against a future list reinforces existing market practices, the cost
resulting from this requirement is currently expected to be de minimis.
5. Providing Notice to Customers
The proposed rule would require a PPSI's CIP to include procedures
for providing its customers with adequate notice that the issuer is
requesting information to verify their identities.\167\ Proposed Sec.
1033.220(a)(5)(ii) sets forth general adequacy standards for the
content of a notice and states that notice may be provided in a manner
reasonably designed to ensure that a customer is able to view the
notice, or is otherwise given notice, before opening an account. For
example, if an account is opened electronically, such as through an
internet website, the issuer may provide notice electronically. Because
the notice is a standardized disclosure included with all applications,
FinCEN does not anticipate a per-customer burden, but rather a one-time
upfront cost to add the notice to application materials. FinCEN also
allows for an average one-hour ongoing annual burden to review and
update the notice if necessary. Because proposed Sec.
1033.220(a)(5)(iii) provides sample notice text, the expected burden of
preparing or revising the textual content of a PPSI's notice is
expected to take proportionately less time and effort than a PPSI's
other presentation-related business-specific decisions, such as
location (as banner text online, inline on a form, etc.) and
accessibility (including formatting, number of languages/translations
to provide, number of distinct locations, methods of messaging, and
platforms to place notice), among other attributes, which FinCEN and
the Agencies expect to be informed by a PPSI's approach to risk-based
and reasonably designed programs, generally.
---------------------------------------------------------------------------
\167\ See proposed Sec. 1033.220(a)(5)(i).
---------------------------------------------------------------------------
FinCEN estimates that the average annual cost for this activity
would be approximately $124.58 per PPSI, yielding an aggregate average
annual cost of approximately $6,229 for 50 expected PPSIs.\168\
---------------------------------------------------------------------------
\168\ See Tables 9 and 10, infra section VIII.E.3.
---------------------------------------------------------------------------
b. PPSI Customers
As presented above in section VIII.A.2.ii.b, the typical stablecoin
issuer that could be considered a payment stablecoin issuer would have
approximately 100 legal entity clients that it interacts with directly
and the population of unique prospective PPSI customers that could be
affected parties as U.S. legal persons is no more than 10,000. As
described in section VIII.A.2.ii.b, these non-individual persons, legal
entities, or other businesses belong to several categories, including
digital exchanges, specialized digital commodities traders, and other
types of investment- and securities-related businesses that, aside from
digital exchanges, would generally all be classified under NAICS code
523 (``Securities, Commodity Contracts, and Other Financial Investments
and Related Activities''). Accordingly, $102.54 was used to estimate
hourly costs to PPSI customers.\169\
---------------------------------------------------------------------------
\169\ Based on a BLS mean industry hourly wage rate of $72.11.
BLS, Occupational Employment and Wage Statistics: Industry:
Securities, Commodity Contracts, and Other Financial Investments and
Related Activities (May 2024), available at https://data.bls.gov/oes/#/industry/523000. The BLS mean industry hourly wage rate of
$72.11 was scaled by a benefits factor of 1.42. See supra note 157.
---------------------------------------------------------------------------
FinCEN estimates that PPSI customers, which are mostly financial
institutions engaged in trading a broad range of stablecoin products as
part of their investment portfolios, or exchanges seeking to provide
off-chain liquidity to retail customers for a similarly broad range of
stablecoin products, will likely initiate at least one new primary
market relationship each year, although this frequency may fluctuate.
In order to generate a conservative estimate, FinCEN and the Agencies
assume for purposes of this analysis that all primary market
participants would be required to provide this information at least
once during the course of business in a given year when interacting
with a new PPSI, while acknowledging significant uncertainty around
this estimate. FinCEN and the Agencies request public comment on this
assumption.
Assuming that 10,000 customers would spend, on average,
approximately one hour to collect, review, and transmit the required
customer identification information to its PPSI counterparties each
year, this would imply that costs to PPSI customers could be as much as
$1.03 million annually.
This estimate is highly conservative and likely to overestimate the
true incremental costs of the proposed CIP requirements to PPSI
customers for a number of reasons. For one, it assumes that all primary
market participants will be required to provide this information once
during the course of business in any given year as a function of
opening or attempting to newly open an account with a PPSI, which may
not be true for many customers. Additionally, these costs may be
included, or otherwise indistinguishable from customer costs
attributable to other business reasons to collect and provide
identifying information to a PPSI, including as necessary to satisfy a
PPSI's general AML/CFT program requirements. Some customers may be
required to submit information to identify themselves and support a
PPSI's required verification activities, and in some cases, submit
additional information about select key individuals associated with the
customer in order for a PPSI to satisfy its separate needs to meet
certain general AML/CFT program requirements and requirements unique to
its CIP. However, the collection and production of this information by
the customer is generally the same, or a highly overlapping, set of
activities. Therefore, the customer costs presented here should not be
treated as strictly additive to the customer costs articulated in
FinCEN's rulemaking that proposes general AML/CFT program requirements
for PPSIs.
c. Government Costs
To implement the proposed rule, FinCEN anticipates incurring
certain operating costs that would include approximately $0.98 million
in the year prior to the final rule's effective date, $1.35 million in
the first effective year the rule is in effect, and approximately $0.91
million per average subsequent year. These estimates include
anticipated expenses related to rulemaking and maintenance, stakeholder
outreach and informational support, compliance monitoring, and
potential enforcement activities as well as certain incremental
increases to pre-existing administrative and logistic expenses.
FinCEN acknowledges that this treatment of cost estimates
implicitly assumes that increased resources commensurate with any novel
operating costs would exist. If this assumption does not hold, then
operating costs associated with a rule may impose certain economic
costs on the public in the form of opportunity costs from the agency's
forgone alternative activities and those activities' attendant
benefits. Putting that into the context of this proposed rule, and
benchmarking against FinCEN's actual appropriated budget for fiscal
year 2025 ($190,193,000),\170\ the corresponding opportunity cost could
resemble forgoing up to 0.7 percent (0.5 percent) of current activities
in the first year (each subsequent year) in which a final rule was
effective. However, to the
[[Page 37259]]
extent that activities FinCEN would undertake as a function of the
proposed rule would functionally substitute for or otherwise replace
forgone activities, such an estimate likely overstates the potential
economic costs to FinCEN and, consequently, the public.
---------------------------------------------------------------------------
\170\ FinCEN, Congressional Budget Justification FY 2026 (May
2025), available at https://home.treasury.gov/system/files/266/11.-FinCEN-FY-2026-CJ.pdf.
---------------------------------------------------------------------------
These estimates do not include the potential costs borne by other
regulators or entities engaged in informational outreach, examinations,
or related supervisory actions of enforcement activities as a
consequence of the proposal. Consequently, the cost estimates here may
understate the burden of activities required to promote compliance with
the rules as proposed and the full scope of government costs.
5. Consideration of Policy Alternatives
FinCEN and the Agencies considered several alternatives to the
currently proposed version of the rule, but is limiting the
presentation here to considerations where public response may be most
useful. Some of the alternatives described below are scenarios that may
have resulted in reduced burdens for PPSIs but would do so at the
expense of forgone benefits or efficiency gains. Other alternatives
would have resulted in more significant burdens. For the reasons
described below, FinCEN and the Agencies decided not to propose any of
these alternatives. FinCEN and the Agencies invite comment on these
alternatives, and on any other alternatives that were not considered
here.
i. Alternative Definitions of ``Customer''
FinCEN and the Agencies considered adopting wider definitions of
``customer'' to encompass additional market activity, namely on the
secondary market. While the PPSI AML/CFT NPRM does propose some
requirements for PPSIs with regard to secondary market activity,\171\
this proposed rule limits customer information collection with regard
to the CIP to primary market customers (i.e., such as when a PPSI
engages in issuing, converting, redeeming, repurchasing, burning, and
reissuing payment stablecoins, as well as providing associated
services, such as providing custodial services).\172\
---------------------------------------------------------------------------
\171\ See PPSI AML/CFT NPRM, supra note 4.
\172\ PPSIs may also engage in ``digital asset service
provider'' activities (as specified in the GENIUS Act), and
activities incidental thereto, that are authorized by a primary
Federal payment stablecoin regulator or State payment stablecoin
regulator, consistent with applicable law. Such activities include
exchanging and transferring digital assets. See 12 U.S.C. 5901(7),
5903(a)(7)(B).
---------------------------------------------------------------------------
Collecting information on secondary market customers would have
significant benefits, but is also practically challenging. Almost all
(approximately 99 percent) of stablecoin transaction activity takes
place on the secondary market. In addition to most transaction volume
occurring in the secondary market, nearly all users of payment
stablecoin products are secondary market users, as most large payment
stablecoin issuers set significant financial requirements for primary
market participants that exclude retail traders.
Despite this being the location of significant activity, and
potentially significant risk, issuers have a limited ability to collect
customer information on the secondary market. The secondary market
includes both ``on-chain'' transactions (actual blockchain exchanges of
digital assets) and ``off-chain'' transactions (ledger/book
transactions made by third-party exchanges for which no evidence
appears on the blockchain). Market participants tend to use the two
types of secondary trading for different purposes. On-chain
transactions typically include digital asset transactions (such as
arbitrage trading or institutional flows) and a small portion of direct
payments for purposes like remittances across international borders.
Off-chain transactions are where most retail trading takes place. The
ratio of on-chain to off-chain transaction activity varies
significantly by product, but in the aggregate, a majority of
transaction volume for likely payment stablecoin products occurs off-
chain.\173\ Even for products where most transaction volume occurs on-
chain, a majority of the actual economic value for these products is
typically held in the wallets of exchange providers for off-chain
trading. For either type of activity, it is most often the case that no
customer information is collected in secondary market transactions by
the stablecoin issuer itself.
---------------------------------------------------------------------------
\173\ Among the four largest payment stablecoin products
evaluated by FinCEN, about 35 percent of the total trading volume
was estimated to occur on-chain. However, this varied significantly
by product, and two of the products examined had significantly more
relative trading volume on-chain. The location of secondary market
activity depends heavily on the way in which the product is used and
how it is marketed.
---------------------------------------------------------------------------
Many exchange operators facilitating off-chain activity collect
customer information in a manner similar to the information collected
by issuers for their primary market customers. However, exchanges
rarely share this information with issuers. For secondary market
customers trading stablecoins on the blockchain itself, identities are
often anonymous or pseudonymous. Blockchains are by nature
decentralized algorithms, so there is often no central collection point
at which identifying information is collected.
This being the case, FinCEN and the Agencies opted to confine the
definition of customer for the purpose of customer information
collection under the proposed rule to those undertaking primary market
transactions directly with the issuer.
ii. Alternative Information Requirements
Another alternative that FinCEN and the Agencies considered was
requiring customers to provide additional information beyond what is
required by the proposed rule. The proposed rule would require issuers
to collect, at a minimum, the name, address, and government-issued
identification number or incorporation document for legal entity
customers. For instance, FinCEN and the Agencies might have required
customers to provide any blockchain wallet addresses associated with a
legal entity, incorporation or tax documents, or certain identifying
financial information such as account numbers. However, FinCEN and the
Agencies opted not to require these items for several reasons. First,
many issuers already collect this additional information in the
ordinary course of business, and are best situated to determine what,
if any, additional information is necessary to make risk-based
decisions about a customer. Second, the absence of this information
does not exempt an issuer from the responsibility to assess the money
laundering and terrorist financing risks associated with a customer or
their transactions. Given this broader programmatic obligation, little
may be lost in letting it remain the issuer's prerogative to determine
when or whether such additional information is necessary.
iii. Size-Related Alternatives
FinCEN and the Agencies considered modifying the proposed rule's
requirements for small payment stablecoin issuers or establishing an
asset threshold for certain compliance obligations of payment
stablecoin issuers that are not bank subsidiaries. As discussed in more
detail in the IRFA (section VIII.C.1.ii.b), FinCEN utilizes a threshold
of $200 million in total reserve assets to identify small payment
stablecoin issuers that are not subsidiaries of insured depository
institutions. FinCEN and the Agencies considered using this threshold
as a tailoring benchmark, whereby issuers under the threshold would be
allowed
[[Page 37260]]
to apply for PPSI status under lessened CIP standards designed to
reduce compliance cost. However, FinCEN and the Agencies opted against
this alternative. Creating some category of PPSI subject to lessened
CIP requirements would conceivably result in the targeting of these
issuers by illicit actors seeking to circumvent regulatory scrutiny.
Further, FinCEN's analysis indicates that most technology services that
enable customer information collection as described here are highly
scalable, allowing small issuers to readily identify and employ more
cost-effective options.
B. Executive Orders 12866, 13563, and 14192
E.O. 12866 directs agencies to assess the costs and benefits of
available regulatory alternatives and, if regulation is necessary, to
select regulatory approaches that maximize net benefits (including
potential economic, environmental, and public health and safety
effects; distributive impacts; and equity). E.O. 13563 emphasizes the
importance of quantifying both costs and benefits, reducing costs,
harmonizing rules, and promoting flexibility. E.O. 13563 also
recognizes that some benefits are difficult to quantify and provides
that, where appropriate and permitted by law, agencies may consider and
discuss qualitatively values that are difficult or impossible to
quantify.
This proposed rule has been designated a ``significant regulatory
action'' under E.O. 12866; accordingly, it has been reviewed by OMB.
This action, if finalized, is expected to be considered an E.O.
14192 regulatory action.
C. Regulatory Flexibility Analysis
When an agency issues a proposed rulemaking, the RFA requires the
agency either to provide an IRFA with a proposed rule or certify that
the proposed rule would not have a significant economic impact on a
substantial number of small entities.
1. FinCEN IRFA
Because the proposed rule may have a significant economic impact on
a substantial number of certain types of PPSIs that may qualify as
small entities, FinCEN undertook the following analysis. In the event
that FinCEN has potentially overestimated the anticipated scope and
significance of the economic burden of the proposed rule on small
entities, and certification would instead be more appropriate, comments
to this effect--including studies, data, or other evidence--are
invited.
i. The Proposed Rule: Objectives, Description, and Legal Basis
The proposed rule would implement FinCEN's regulations that
prescribe the minimum requirements for CIPs for PPSIs as described
earlier in section V.
The legal basis for the proposed rule is the GENIUS Act.\174\ The
GENIUS Act creates a regulatory framework for payment stablecoins in
the United States.\175\ Under the GENIUS Act, it generally will be
unlawful for any person other than a PPSI to issue a payment stablecoin
in the United States.\176\ The GENIUS Act outlines certain reserve,
capital, liquidity, and risk management requirements for PPSIs and
tasks implementing those requirements to the Agencies, and, as
applicable, State payment stablecoin regulators.\177\
---------------------------------------------------------------------------
\174\ See supra section II.
\175\ See generally 12 U.S.C. 5901-5916.
\176\ See 12 U.S.C. 5902(a), 5901(23) (defining ``permitted
payment stablecoin issuer''); see also 12 U.S.C. 5902(c)
(permitting, but not requiring, Treasury to issue regulations
providing limited safe harbors from 12 U.S.C. 5902(a)); 12 U.S.C.
5916.
\177\ 12 U.S.C. 5903(a)(4).
---------------------------------------------------------------------------
The GENIUS Act requires that a PPSI ``be treated as a financial
institution for purposes of the Bank Secrecy Act, and as such, shall be
subject to all Federal laws applicable to financial institutions
located in the United States relating to economic sanctions, preventing
money laundering, customer identification, and due diligence.'' \178\
In addition to its general directive, the GENIUS Act specifies that a
PPSI's obligations must include maintenance of an effective CIP,
including identifying and verifying the PPSI's account holders.\179\
---------------------------------------------------------------------------
\178\ 12 U.S.C. 5903(a)(5)(A).
\179\ 12 U.S.C. 5903(a)(5)(A)(v).
---------------------------------------------------------------------------
The proposed rule would implement the GENIUS Act by proposing a
requirement for PPSIs to maintain an effective CIP, including
identification and verification of account holders. It includes
requirements related to documenting customer verification procedures,
requisite customer information, required recordkeeping, comparison with
government lists, and customer notification.
ii. The Expected Impact on Small Entities
The expected impact of the rule on small entities varies across
three distinct types of PPSIs: those that are subsidiaries of insured
depository institutions; FQPSIs; \180\ and SQPSIs.\181\ FinCEN has
incorporated the Agencies' RFA analyses with respect to their nexuses
with these respective types and limited its own further analysis below
to the remaining potential future PPSIs that it anticipates. As the
proposed rulemaking may also affect the small entities that are
customers of PPSIs, this population was also subject to IRFA
requirements and is included in section VIII.C.1.ii.c below.
---------------------------------------------------------------------------
\180\ 12 U.S.C. 5901(11). In the PPSI AML/CFT NPRM FinCEN
proposes to define this category in its regulations (see proposed
Sec. 1010.100(vvv)) using essentially the same language as the
statutory definition. See PPSI AML/CFT NPRM, supra note 4, at
section VI.C.1.xi.
\181\ 12 U.S.C. 5901(31). In the PPSI AML/CFT NPRM, FinCEN
proposes to define this category in its regulations (see CFR
1010.100(xxx)) using essentially the same language as the statutory
definition. See PPSI AML/CFT NPRM, supra note 4, at section
VI.C.1.xiii.
---------------------------------------------------------------------------
a. Small PPSIs Considered by the Agencies
Analyses of the expected impact on PPSIs that would be subject to
their jurisdiction were conducted by each of the Agencies and are
appended with their respective certifications in sections VIII.C.2, 3,
4, and 5 below.
b. Other Potential Small PPSIs
The U.S. Small Business Administration (SBA) definition of ``small
entity'' as defined in 13 CFR 121.201 includes businesses, nonprofits,
and small government entities with fewer than 50,000 residents.\182\
---------------------------------------------------------------------------
\182\ Some stablecoin issuers are organized as nonprofit
entities and are included in this count.
---------------------------------------------------------------------------
Based on analysis of the distributional data separately analyzed by
FinCEN in the IRFA accompanying the PPSI AML/CFT NPRM, FinCEN
considered applying a functional definition of ``small entity'' for
purposes of this IRFA that would correspond closely to the 80th
percentile threshold, which was rounded to $200 million for convenience
in that proposed rule and is requesting comment on the appropriateness
of the $200 million threshold in both that NPRM and this proposed rule.
The proposed $200 million threshold would capture approximately 76
percent of current stablecoin issuers that meet the GENIUS Act
definitional criteria to be eligible for potential future PPSI status.
That is, of the pre-GENIUS Act population of 25 stablecoin issuers that
may be eligible to meet the GENIUS Act's definitional criteria for
future PPSIs (see Table 1), 19 had fewer than $200 million in total
circulating payment stablecoin product values. Together, these 76
percent of current
[[Page 37261]]
stablecoin issuers hold less than one percent of aggregate market
average total assets.
To examine the expected impact of the proposed rule on small
entities, FinCEN used two steps: the first step was to estimate the
total number of potential future small entities that would be affected
by the proposed rule, and the second step was to estimate the
significance of this impact on those entities.
In order to contextualize the relative significance of costs
associated with the proposed rule for small PPSIs, FinCEN used
estimates of total assets to estimate likely revenues for such issuers.
Stablecoin issuers generally derive revenue from investment returns on
their reserve holdings. As described in the GENIUS Act, PPSIs would be
permitted to invest reserve funds in several different types of asset
classes, including government-backed securities. Based on prevailing
interest rates, FinCEN assumed issuers would likely receive returns of
about five percent on invested funds. While actual returns may
fluctuate and fall below or above this estimate, this value represents
an benchmark for estimation purposes. To validate this assumption,
FinCEN examined actual revenue values as reported by current stablecoin
issuers and compiled in quarterly MSB Call Report data. While five
percent of total assets was generally within the same order of
magnitude to actual reported revenue, actual revenues often exceeded
five percent.
Returns in excess of prevailing rates for government-issued fixed
income securities can be due to several factors. First, stablecoin
issuers often ``over collateralize'' their products, meaning that they
hold larger reserve portfolios than are required to redeem every coin
at par value. This practice helps protect from market fluctuations and
affords issuers greater flexibility during times of financial stress.
In such cases, stablecoin issuers have reserve portfolios that are
larger than the circulating value of their products, leading to returns
in excess of those implied by multiplying their circulating value by
prevailing rates of return for common reserve investments. Stablecoin
issuers may also invest excess reserves in higher-yielding products or
loans whose rates of return exceed those of government-backed
securities. In addition to this, several other factors might lead to
larger returns. For example, stablecoin issuers may offer certain fee-
based services to customers, and may account for certain unrealized
gains as revenue, increasing reported revenue levels.
Bearing these factors in mind, FinCEN retained five percent of
total assets as a reasonable benchmark for revenue. This parameter was
chosen in order to retain an estimate of revenue that does not minimize
costs or possible fluctuations in returns. In other words, by using a
conservative but realistic estimate, FinCEN avoids underestimating the
relative impact of compliance costs associated with the proposed rule.
FinCEN requests comment on the appropriateness of using five percent of
total reserve assets as an estimate of these firms' revenue.
In section VIII.A.4.ii, FinCEN discussed the expected incremental
costs of compliance with the proposed rule for PPSIs. As that section
detailed, the incremental first-year costs of the proposed CIP
requirements for PPSIs not covered by the Agencies' analyses are
expected to be approximately $7,500 per PPSI in the first year, and
approximately $5,600 in the average subsequent year.
Table 5--CIP Costs as a Share of Modeled Annual Revenue
----------------------------------------------------------------------------------------------------------------
Percentage of small issuers for
which Year-1 CIP costs exceed:
Year Modeled CIP ---------------------------------
program cost 1% of modeled 3% of modeled
revenue revenue
----------------------------------------------------------------------------------------------------------------
1............................................................. $7,500 61 34
2+............................................................ 5,600 45 26
----------------------------------------------------------------------------------------------------------------
At this time, FinCEN assesses that there is insufficient data to
forecast with meaningful precision the proportion of the total
population of potential future PPSIs that would resemble current
stablecoin issuers that would qualify as small entities or to consider
the potential economic significance of the proposed CIP requirements
differentially by type. FinCEN has therefore provided the analysis in
Table 5 for illustrative purposes only to facilitate an assessment of
how economically significant the proposed CIP requirements might be if
future small PPSIs were comparable to current stablecoin issuers whose
products meet the GENIUS Act's definitional criteria for a future
payment stablecoin. Comments and data are invited to assist analyzing
the potential effects of the proposed CIP requirements on small PPSIs,
particularly those that would not be the subsidiaries of insured
depository institutions.
c. Small Business Customers of PPSIs
In addition to these entities, FinCEN expect that the proposed
rule, if adopted, to have impacts on the primary market customers of
PPSIs. Many of these entities, which include digital asset exchanges,
specialized commodities traders, and other investment firms, are small
businesses. Using the data described earlier,\183\ FinCEN estimates
that there are approximately 300,000 primary market customers that
interact directly with stablecoin issuers. However, FinCEN estimates
that a substantial portion of these may be affiliates of a single
counterparty or associated with non-U.S. entities. FinCEN estimates
that the number of affected U.S. businesses is no more than 10,000.
These businesses belong to several categories, including digital asset
exchanges, specialized digital commodities traders, and other types of
investment- and securities-related businesses. Aside from digital asset
exchanges, FinCEN expects that nearly all of these firms would be part
of the NAICS classifications under industry code 523 (``Securities,
Commodity Contracts, and Other Financial Investments and Related
Activities'').
---------------------------------------------------------------------------
\183\ See supra section VIII.A.2.ii.b.
[[Page 37262]]
Table 6--Description of PPSI Customer Small Entities
----------------------------------------------------------------------------------------------------------------
Approximate SBA small- Percentage Average annual
Primary market customer type number of NAICS code business considered small revenue of small
customers threshold \a\ entities \b\
----------------------------------------------------------------------------------------------------------------
Other Investment Firms....... 10,000 523 $47 million..... 97.7% (about $1.55 million.
9,770 firms).
Digital Asset Exchanges \c\.. 300 523210 $47 million..... 70% (about 210 $5.85 million.
firms).
----------------------------------------------------------------------------------------------------------------
\a\ To estimate the number of small entities in NAICS code 523, FinCEN used the U.S. Census 2022 Statistics of
U.S. Businesses Data by Enterprise Receipts Size. U.S. Census, 2022 Statistics of U.S. Businesses Data by
Enterprise Receipts Size, available at https://www.census.gov/data/tables/2022/econ/susb/2022-susb-annual.html. FinCEN calculated the proportion of small businesses in NAICS code 523 with less than $50 million
in annual receipts (the closest available threshold). For Digital Asset Exchanges, FinCEN used internal data.
\b\ Revenue data for NAICS code 523 and Digital Asset Exchanges was collected from the U.S. Census 2022
Statistics of U.S. Businesses Data by Enterprise Receipts Size and internal data, respectively.
\c\ Note, these 300 customers are a subset of the 10,000 customers captured under NAICS code 523.
While a substantial number of these firms would be required to
provide customer information to the PPSIs they wish to engage in direct
transactions with, the cost of providing this information is expected
to be de minimis relative to the average revenue of these firms.\184\
Therefore, while a substantial number of businesses may be providing
information to PPSIs, FinCEN does not contemplate that this requirement
would constitute a significant effect when considered in relation to
their overall revenue.
---------------------------------------------------------------------------
\184\ This cost is estimated to be less than $200 per firm
annually, on average. See section VIII.A.4.ii.b.
---------------------------------------------------------------------------
iii. Other Matters: Duplicate, Overlapping, Conflicting, and
Alternative Requirements
FinCEN is unaware of any existing Federal regulations that would
overlap or conflict with the proposed rule. As discussed in section
III, in a related, complementary rulemaking FinCEN is proposing to
apply additional GENIUS Act and BSA obligations on PPSIs, including,
for example, AML/CFT program requirements and suspicious activity
reporting requirements. This rulemaking deals exclusively with a CIP
requirement, which is not contained within the related, complementary
rulemaking.
Additionally, FinCEN has considered certain alternatives to the
proposed rule that take into consideration the expected costs and
potential benefits to small entities. As discussed in greater detail in
section VIII.A.5.iii, FinCEN considered modifying the requirements for
small entities. As discussed in that section, FinCEN opted against this
exclusion for several reasons. By creating some category of PPSI for
small issuers that would be subject to lessened CIP requirements could
conceivably lead to illicit actors who seek to circumvent regulatory
scrutiny targeting these small issuers. Additionally, FinCEN analysis
indicates that most technology services that enable customer
information collection as described here are highly scalable, allowing
small issuers to readily identify and employ more cost-effective
options.
In addition, as discussed in greater detail in section VIII.A.5.ii,
FinCEN also considered adopting additional information reporting
requirements for new customers. Because some primary market customers
of potential PPSIs may themselves be small businesses, such a
requirement that expanded reporting requirements beyond what
information is already provided in the ordinary course of business may
have presented an incremental cost for some number of these small
entities. However, as discussed in section VIII.A.5.ii, FinCEN opted
not to augment these requirements. Many issuers already collect this
additional information in the course of business, and are best situated
to determine what, if any, additional information is necessary to
support overall AML/CFT goals. As a result, FinCEN expect no
incremental cost burden to small entity customers of potential PPSIs as
a result of the requirements in the proposed rule.
2. OCC Certification
The proposal will apply to entities overseen by the OCC. The OCC
currently supervises 997 institutions (national banks, Federal savings
associations, and branches or agencies of foreign banks),\185\ of which
approximately 609 are small entities under the RFA.\186\ In general,
the OCC classifies the economic impact on an individual small entity as
significant if the total estimated impact in one year is greater than
five percent of the small entity's total annual salaries and benefits
or greater than 2.5 percent of the small entity's total non-interest
expense. Furthermore, the OCC considers five percent or more of OCC-
supervised small entities to be a substantial number, and at present,
30 OCC-supervised small entities would constitute a substantial number.
---------------------------------------------------------------------------
\185\ Financial Institution Data Retrieval System Data, accessed
February 20, 2026.
\186\ The OCC estimated the number of small entities based on
the SBA's size thresholds for commercial banks and savings
institutions, and trust companies, which are $850 million and $47
million, respectively. Consistent with the General Principles of
Affiliation 13 CFR 121.103(a), the OCC counted the assets of
affiliated financial institutions when determining if it should
classify an OCC-supervised institution as a small entity. The OCC
used December 31, 2024, to determine size because a ``financial
institution's assets are determined by averaging the assets reported
on its four quarterly financial statements for the preceding year.''
See footnote 8 of the SBA, Table of Small Business Size Standards
(Mar. 17, 2023), available at https://www.sba.gov/document/support-table-size-standards.
---------------------------------------------------------------------------
In the OCC's NPRM published March 2, 2026, the OCC stated, ``Given
that all current OCC banks that issue stablecoins generally have
issuance of over $1 billion and are not considered small entities and
the lack of small entity stablecoin issuers, the OCC will need to wait
for more information to determine whether it is likely that there will
be a significant number of small entities affected by the proposed
rule. At this time, the OCC does not expect that the proposed rule
would have a significant impact on a substantial number of small
entities under the RFA.'' \187\
---------------------------------------------------------------------------
\187\ OCC, Implementing the Guiding and Establishing National
Innovation for U.S. Stablecoins Act for the Issuance of Stablecoins
by Entities Subject to the Jurisdiction of the Office of the
Comptroller of the Currency, 91 FR 10202 (Mar. 2, 2026).
---------------------------------------------------------------------------
The OCC continues to expect that small entities will not be the
initial adopters of this technology because of the compliance
infrastructure and capital necessary to support stablecoin issuance. As
such, the OCC anticipates that future FQPSIs would not be small
entities as defined by the SBA (currently $850 million in assets for
financial entities). Hence, the proposed rule would not have a
significant impact on a substantial number of small entities
[[Page 37263]]
under the OCC's purview for purposes of the RFA.
3. Board IRFA
The Board is providing an initial regulatory flexibility analysis
with respect to this proposal. The RFA requires an agency to consider
whether the rules it proposes will have a significant economic impact
on a substantial number of small entities. Under regulations issued by
the SBA, a ``small'' entity includes a depository institution, bank
holding company, or savings and loan holding company with total assets
of $850 million or less.\188\ For purposes of this section, any
reference to ``small'' entities is a reference to this definition.
---------------------------------------------------------------------------
\188\ See 13 CFR 121.201. Consistent with the SBA's General
Principles of Affiliation, the Board includes the assets of all
domestic and foreign affiliates toward the applicable size threshold
when determining whether to classify a particular entity as a small
entity. See 13 CFR 121.103.
---------------------------------------------------------------------------
In connection with a proposed rule, the RFA requires an agency to
prepare an IRFA describing the impact of the rule on small entities,
unless the head of the agency certifies that the proposed rule, if
promulgated, will not have a significant economic impact on a
substantial number of small entities and publishes such certification
along with a statement providing the factual basis for such
certification in the Federal Register. An IRFA must contain (1) a
description of the reasons why action by the agency is being
considered; (2) a succinct statement of the objectives of, and legal
basis for, the proposed rule; (3) a description of, and, where
feasible, an estimate of the number of small entities to which the
proposed rule will apply; (4) a description of the projected reporting,
recordkeeping, and other compliance requirements of the proposed rule,
including an estimate of the classes of small entities that will be
subject to the requirement and the type of professional skills
necessary for preparation of the report or record; (5) an
identification, to the extent practicable, of all relevant Federal
rules which may duplicate, overlap with, or conflict with the proposed
rule; and (6) a description of any significant alternatives to the
proposed rule which accomplish its stated objectives and minimize any
significant economic impact of the proposed rule on small
entities.\189\
---------------------------------------------------------------------------
\189\ 5 U.S.C. 603(b)-(c).
---------------------------------------------------------------------------
The Board has considered the potential impact of the proposed rule
on small entities in accordance with the RFA. Based on its analysis and
for the reasons stated below, the Board believes that this proposed
rule will not have a significant economic impact on a substantial
number of small entities. Nevertheless, the Board is publishing and
inviting comment on this initial regulatory flexibility analysis.
i. Reasons Why Action Is Being Considered by the Board
As explained above, this proposal implements the GENIUS Act's
directives to treat PPSIs as financial institutions for purposes of the
BSA and to require such issuers to maintain an ``effective customer
identification program, including identification and verification of
account holders.'' \190\ The proposed rule would subject PPSIs to CIP
requirements that are comparable to existing CIP requirements for other
financial institutions, such as banks, broker-dealers, mutual funds,
and FCMs and IBCs. It also would require a PPSI to tailor its CIP to
that PPSI's size and type of business, as well as take into
consideration the PPSI's risk based on its unique business--including
the types of accounts it has, how those accounts are opened, and the
identifying information available.
---------------------------------------------------------------------------
\190\ See 12 U.S.C. 5903(a)(5)(A)(v); see also 31 U.S.C.
5318(l).
---------------------------------------------------------------------------
ii. The Objectives of, and Legal Basis for, the Proposal
The proposed rule would prescribe the minimum requirements for CIPs
for PPSIs as described earlier in section V.
Section 4(a)(5)(A) of the GENIUS Act (12 U.S.C. 5903(a)(5)(A))
requires that a PPSI ``be treated as a financial institution for
purposes of the Bank Secrecy Act, and as such, shall be subject to all
Federal laws applicable to financial institutions located in the United
States relating to economic sanctions, preventing money laundering,
customer identification, and due diligence.'' \191\ Additionally,
section 4(a)(5)(A) specifies that a PPSI must maintain an effective
CIP, and must identify and verify the PPSI's account holders.\192\
---------------------------------------------------------------------------
\191\ 12 U.S.C. 5903(a)(5)(A); see also 31 U.S.C. 5318(l).
\192\ 12 U.S.C. 5903(a)(5)(A)(v).
---------------------------------------------------------------------------
The proposed rule would implement the GENIUS Act by proposing a
requirement for PPSIs to maintain an effective CIP, including
identification and verification of account holders. The proposed rule
includes requirements related to documenting customer verification
procedures, requisite customer information, required recordkeeping,
comparison with government lists, and customer notification.
iii. Description of the Compliance Requirements of the Proposal and
Estimate of the Number of Small Entities
The proposed rule would implement the GENIUS Act by proposing a
requirement for PPSIs to maintain an effective CIP, including
identification and verification of account holders. The proposed rule
includes requirements for Board-supervised PPSIs of all sizes related
to documenting customer verification procedures, requisite customer
information, required recordkeeping, comparison with government lists,
and customer notification. The compliance burdens are described in more
detail in section VIII.A.4.ii above.
This NPRM is being issued jointly by FinCEN, along with the Board
and other Agencies as applied to the PPSIs that each Agency supervises.
The expected impact on PPSIs that are subject to the Board's
jurisdiction is analyzed below.
The proposed rule would apply to (i) subsidiaries of insured State
member banks that have been approved by the Board to issue payment
stablecoins and (ii) State-qualified PPSIs that are uninsured State-
chartered depository institutions that have transitioned to the Board's
regulatory framework under section 4(d) of the GENIUS Act (12 U.S.C.
5903(d)). By definition, the proposed rule would only apply to a State-
qualified PPSIs that have an outstanding issuance value of more than
$10 billion, and accordingly, would not be considered small for the
purposes of this IRFA. This analysis therefore focuses only on Board-
supervised PPSIs that are subsidiaries of State member banks. The Board
is not aware of any method of determining the identity, industry, or
size of Board-supervised PPSIs that are subsidiaries of State member
banks, given that there are no such entities at this time and it is
difficult to predict how this market will develop. Further, SBA
regulations do not provide small entity thresholds specific to PPSIs.
As a result, this section of the IRFA discusses the size of the parent
State member banks of such PPSIs. The Board believes this approach is
appropriate because, under the GENIUS Act, an insured State member bank
must have ``control'' of a Board-supervised PPSI.\193\
---------------------------------------------------------------------------
\193\ The GENIUS Act defines the term ``subsidiary'' by
reference to the definition of ``subsidiary'' in the Federal Deposit
Insurance Act, which states that a subsidiary includes any company
which is owned or controlled directly or indirectly by another
company. See 12 U.S.C. 5901(32) (``The term ``subsidiary'' has the
meaning given that term in [12 U.S.C. 1813].''); see also 12 U.S.C.
1813(w)(4). In the Federal Deposit Insurance Act, the term
``control'' is defined by reference to the Bank Holding Company Act.
12 U.S.C. 1813(w)(5). The Board's Regulation Y sets out the Board's
presumptions of control and noncontrol under the controlling
influence prong of the Bank Holding Company Act definition of
``control.'' See 12 CFR part 225, subpart D.
---------------------------------------------------------------------------
[[Page 37264]]
As of December 31, 2025, there were 703 insured State member
banks.\194\ Of those institutions, 439 are considered small for the
purposes of RFA.\195\ For this analysis, the Board estimates that
between five and ten insured State member banks may, with the Board's
permission, form a Board-supervised PPSI subsidiary in the first few
years after the finalization of the proposed rule. Given the early
stages of the payment stablecoin market, this range accounts for
significant uncertainty regarding the volume of future participants.
The population of Board-supervised PPSIs that are subsidiaries of State
member banks could be higher or lower depending on market demand,
strategic operational choices of insured State member banks and other
institutions eligible to become PPSIs, and future developments in the
digital landscape. By utilizing this range, the Board aims to establish
an estimate that serves as the basis for evaluating the economic
effects of the proposed rule, while acknowledging the inherent
uncertainty resulting from a lack of historical precedent. The Board
expects that the insured State member banks that are most likely to
seek to form a Board-supervised PPSI subsidiary initially will be
larger institutions with the compliance infrastructure and capital
necessary to support a new business line to issue payment stablecoins.
As such, the Board anticipates that most, if not all, insured State
member banks with Board-supervised PPSIs would not be small entities as
defined by the SBA. Even assuming the unlikely scenario that all, i.e.,
the upper-bound number of ten insured State member banks, would be
small and that all ten insured State member banks would be
significantly impacted by the proposed rule, these impacted entities
would comprise a very small percentage of small insured State member
banks.
---------------------------------------------------------------------------
\194\ Call Report Data, December 31, 2025.
\195\ Call Report Data, December 31, 2025.
---------------------------------------------------------------------------
iv. Consideration of Duplicative, Overlapping, or Conflicting Rules and
Significant Alternatives to the Proposal
The Board has not identified any Federal statutes or regulations
that would duplicate, overlap, or conflict with the proposal. The Board
is seeking comment on certain potential alternative approaches to
discrete aspects of the final rule, as discussed elsewhere in this
proposal, most of which would not significantly change the estimated
economic impact of the proposed rule.
vi. Conclusion
Based on its analysis and for the reasons stated above, the Board
believes that the proposed rule is unlikely to have a significant
economic impact on a substantial number of small entities. The Board
welcomes comment on all aspects of its analysis. In particular, the
Board requests that commenters describe the nature of any impact on
small entities and provide empirical data to illustrate and support the
extent of the impact. Additionally, the Board requests that commenters
describe the number of small entities under the RFA and the impact on
small entities.
4. FDIC Certification
The RFA generally requires an agency, in connection with a proposed
rule, to prepare and make available for public comment an initial
regulatory flexibility analysis that describes the impact of the
proposed rule on small entities.\196\ However, an initial regulatory
flexibility analysis is not required if the agency certifies that the
proposed rule would not, if promulgated, have a significant economic
impact on a substantial number of small entities. The SBA has defined
``small entities'' to include banking organizations with total assets
of less than or equal to $850 million.\197\
---------------------------------------------------------------------------
\196\ 5 U.S.C. 601 et seq.
\197\ The SBA defines a small banking organization as having
$850 million or less in assets and determines an organization's
assets by averaging the assets reported on its four quarterly
financial statements for the preceding year. See 13 CFR 121.201 (as
amended by 87 FR 69118, effective December 19, 2022). Following
these regulations, the FDIC uses an FDIC-supervised institution's
affiliated and acquired assets, averaged over the preceding four
quarters, to determine whether the FDIC-supervised institution is
``small'' for the purposes of the RFA.
---------------------------------------------------------------------------
Generally, the FDIC considers a significant economic impact to be a
quantified effect in excess of five percent of total annual salaries
and benefits or 2.5 percent of total non-interest expenses. The FDIC
believes that effects in excess of one or more of these thresholds
typically represent significant economic impacts for FDIC-insured
institutions.
The FDIC estimates the effects of the required mandates of the
proposed rule on small FDIC-supervised entities. For the purposes of
this analysis, the FDIC utilizes a pre-statutory baseline under which
the GENIUS Act is considered unenacted. Under this baseline, no formal
federal framework exists to coordinate and homogenize the issuance of
payment stablecoins, leaving the market to operate under a fragmented
regulatory framework and limited federal guidance.
As previously discussed, the proposed rule would apply to all
PPSIs, including FDIC-supervised PPSIs, which would be subsidiaries of
FDIC-supervised institutions.\198\ As of the quarter ending September
30, 2025, there were 2,772 insured State nonmember banks and State
savings associations. Of those institutions, 2,064 are considered
``small'' for the purposes of RFA.\199\
---------------------------------------------------------------------------
\198\ See 12 U.S.C. 5903(a)(7).
\199\ Federal Financial Institutions Examination Council Reports
of Condition and Income (Call Reports), September 30, 2025.
---------------------------------------------------------------------------
The FDIC recognizes considerable uncertainty regarding the number
of FDIC-supervised PPSIs that would emerge under the proposed
framework. For the purposes of this analysis, the FDIC estimates that
the number of FDIC-supervised PPSIs would likely range between five and
30 in the first few years after the enactment of the proposed rule.
Given the early stages of the payment stablecoin market, this range
accounts for significant uncertainty regarding the volume of future
participants. The population of FDIC-supervised PPSIs under the
proposed rule could be higher or lower depending on market demand,
strategic operational choices of eligible institutions, and future
developments in the digital landscape. By utilizing this range, the
FDIC aims to establish an estimate that serves as the basis for
evaluating the economic effects of the proposed rule, while
acknowledging the inherent uncertainty resulting from a lack of
historical precedent.
Because an FDIC-supervised PPSI must be a subsidiary of an IDI, the
FDIC expects that the initial adopters of this technology would likely
be larger institutions with the compliance infrastructure and capital
necessary to support stablecoin issuance. As such, the FDIC anticipates
that most, if not all, future PPSIs would not be small entities as
defined by the SBA. Therefore, the FDIC believes the proposed rule is
unlikely to have a significant economic impact on a substantial number
of small entities.
However, given the lack of historical precedent and the evolving
nature of the payment stablecoin market, the FDIC conservatively
assumes that, for the purpose of this analysis, all the entities
falling within the previously discussed
[[Page 37265]]
scope of five to 30 potential FDIC-supervised PPSIs could be small
entities. By adopting this conservative assumption, the FDIC aims to
provide a comprehensive estimate of the potential economic impact on
small entities.
In the unlikely scenario that all, i.e., the upper-bound number of
30 entities, would be small, the estimated impact on each small entity
would be a de minimis amount. Even if all 30 entities would instead be
significantly impacted by the proposed rule, the FDIC does not consider
30 entities to be a substantial number of small entities.
In light of the foregoing, the FDIC certifies that the proposed
rule would not have a significant economic impact on a substantial
number of small entities. Accordingly, an initial regulatory
flexibility analysis is not required.
The FDIC invites comments on all aspects of the supporting
information provided in this RFA section. The FDIC is particularly
interested in comments on any significant effects on small entities
that the agency has not identified.
5. NCUA Certification
As noted in the FDIC certification, under the RFA an initial
regulatory analysis is not required if the promulgating agency
certifies the proposed rule (if enacted) would not have a ``significant
economic impact'' on a substantial number of ``small entities.'' The
NCUA certifies the economic burden of the CIP rule--both in terms of
likely expenses borne by individual small credit unions and the number
of small credit unions facing significant expenses--falls short of the
RFA materiality threshold.
Under the GENIUS Act, federally insured credit unions (FICUs)
cannot become PPSIs. The credit-union analogue for a bank subsidiary--
at least for purposes of this act--is the credit union service
organization (CUSO).\200\ Currently, the NCUA does not charter, insure,
or collect call-report type data from CUSOs, so there is no formal
definition of small for RFA purposes. Following the FDIC, the NCUA
relies on its traditional approach to RFA analysis by examining the
impact of the CIP rule on FICUs with fewer than $100 million in
assets.\201\ As of September 30, 2025, the NCUA supervised 4,331 FICUs;
of these, 2,553 (or 58.9 percent) qualified as small entities. Compared
with commercial banks, credit unions are quite small. Indeed, the
industry median asset size (again 2025:Q3) was $63.63 million--roughly
one-sixth of the median asset size in the banking industry. Put another
way, 3,813 FICUs (88.0 percent of all FICUs) would qualify as small
under the FDIC RFA threshold (fewer than $850 million).
---------------------------------------------------------------------------
\200\ A CUSO is an entity that provides various products/
services to credit unions and their members. The goals are to (i)
enable credit unions to enjoy economies of scale and (ii) expand the
range of product/service offerings for credit-union members. These
organizations are typically owned by one or more credit unions.
Examples of CUSO products/services include loan origination,
operational support, and IT services.
\201\ Using this traditional approach implicitly assumes (for
analytical purposes only) CUSOs are a formal part of the credit
unions they support. The NCUA Board established the definition of
``small'' (fewer than $100 million in assets) via IRPS 80 FR 57512
in 2015.
---------------------------------------------------------------------------
Predicting the number of PPSIs in the credit-union sector is
difficult because: (i) CUSOs or credit unions have never offered a
product quite like stablecoin; and (ii) as noted, the NCUA--with
extremely limited authority over CUSOs (as third-party vendors)--has
little-to-no anecdotal or formal data to make a forecast. That said,
the National Association of Credit Union Service Organizations (NACUSO)
reported in its 2020 CUSO Market Report that credit unions holding
between $100 and $500 million in assets are by far the largest block of
CUSO customers. Moreover, the credit-union sector has historically been
conservative in its approach to offering products/services with novel
risk dimensions. When such products/services are offered, large credit
unions have been in the forefront. In short, qualitative and
quantitative data suggest the number of PPSIs in the credit-union
sector should be well below that in the banking industry. Specifically,
the NCUA expects the actual number to fall between zero and 10, with
five being a reasonable point estimate. Five represents 0.2 percent of
the total number of small FICUs.
As for the number of small FICUs potentially facing a
``significant'' burden, applying the FBA materiality threshold of
either 5 percent of annual compensation expense or 2.5 percent of total
non-interest expense is problematic because small credit unions: (1)
tend to rely heavily on volunteers; \202\ and (2) often enjoy free
office space provide provided by a sponsor. Under the FBA compensation
threshold (5 percent), for example, 1,274 small FICUs--49.9 percent of
those holding fewer than $100 million--would face a significant burden.
Similarly, under the FBA non-interest expense threshold (2.5 percent),
1,226 would face an undue burden. At first, both numbers appear to
qualify as ``substantial.'' But, again, it is important to remember
small credit unions typically have relatively simple operations with
plain vanilla product/service offerings. The CUSOs serving these credit
unions would be extremely unlikely to become PPSIs even if the CIP
regulatory burden were zero dollars. So, to arrive at an estimate of
small FICUs potentially facing an undue burden, recall the estimate for
PPSIs industrywide offered above--zero to 10. Now, assume
(unrealistically) the actual number is 10, that all held fewer than
$100 million in assets, and all faced marginal compliance expenses
exceeding 5 percent of compensation expense or 2.5 percent of non-
interest expense. Under these conservative assumptions, only 0.4
percent of small FICUs would face an undue burden. In short, the
relatively modest size and simple operations of ``small'' FICUs--both
absolutely and compared with commercial banks--suggest few would be
interested in stablecoins even if there were no regulatory burden.
Accordingly, it is reasonable to conclude the CIP rule will not have a
significant economic impact on a substantial number of small FICUs.
---------------------------------------------------------------------------
\202\ For example, the median number of paid full-time
equivalent employees for a small FICU is five.
---------------------------------------------------------------------------
D. Unfunded Mandates Reform Act
The UMRA requires that an agency prepare a statement before
promulgating a rule that may result in expenditure by the state, local,
and Tribal governments, in the aggregate, or by the private sector, of
$193 million or more in any one year ($100 million in 1995, adjusted
for inflation).\203\ Section 202 of UMRA also requires an agency to
identify and consider a reasonable number of regulatory alternatives
before promulgating a rule.
---------------------------------------------------------------------------
\203\ The U.S. Bureau of Economic Analysis reports the annual
value of the gross domestic product implicit price deflator for
calendar year 1995 (the year UMRA was enacted) as 66.939, and as
128.974 for calendar year 2025 (the most recent available). Thus,
the inflation-adjusted estimate for $100 million is 128.974 / 66.939
x $100 million, or $192.7 million. See U.S. Bureau of Economic
Analysis, Table 1.1.9. Implicit Price Deflators for Gross Domestic
Product, available at https://apps.bea.gov/iTable/?reqid=19&step=3&isuri=1&1921=survey&1903=13#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJDYXRlZ29yaWVzIiwiU3VydmV5Il0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyNSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==.
---------------------------------------------------------------------------
As discussed above,\204\ FinCEN and the Agencies have not estimated
the number of potential future SQPSIs given the inherently speculative
nature of such an exercise at this time. Consequently, FinCEN and the
Agencies
[[Page 37266]]
are unable to assess the potential burden to state, local, and Tribal
governments of the proposed CIP rule and are, at this time, not
expecting any additional expenditures to these parties as an
incremental cost of the proposed rule. However, FinCEN and the
Agencies' expectation that this rulemaking will not cause material
changes in State expenditures, in particular, should be understood as
relating only to the impact of this rulemaking and not to the impact of
the GENIUS Act writ large. The GENIUS Act envisions an active role for
the states in the regulation of PPSIs as a complement to Federal
regulation.
---------------------------------------------------------------------------
\204\ See supra sections VIII.A.2.ii.a.
---------------------------------------------------------------------------
While the analyses above \205\ and below,\206\ indicate that the
proposed rule is not expected to impose incremental novel expenditures
on the private sector of $193 million or more, and hence that
additional economic analysis pursuant to UMRA requirements is not
strictly necessary, FinCEN and the Agencies believe that the preceding
assessment of impact, generally, and consideration of policy
alternatives, specifically, would satisfy the UMRA's analytical
requirements. FinCEN and the Agencies invite public comment on any
additional factors that, if considered, would materially alter the
conclusions of this assessment.
---------------------------------------------------------------------------
\205\ See supra sections VIII.A through C.
\206\ See infra section VIII.E.
---------------------------------------------------------------------------
E. Paperwork Reduction Act
The recordkeeping requirements in the proposed rule, which qualify
as ``collections of information'' under the PRA, will be submitted to
OMB for review in accordance with the PRA.\207\ Under the PRA, an
agency may not conduct or sponsor, and a person is not required to
respond to, a collection of information unless it displays a valid
control number assigned by OMB.\208\ Written comments and
recommendations for the proposed information collection can be
submitted by visiting https://www.reginfo.gov/public/do/PRAMain. Find
this particular document by selecting ``Currently Under Review--Open
for Public Comments'' or by using the search function. Comments are
welcome and must be received by August 21, 2026.
---------------------------------------------------------------------------
\207\ See 44 U.S.C. 3506(c)(2).
\208\ See 44 U.S.C. 3507(a)(3).
---------------------------------------------------------------------------
In accordance with requirements of the PRA, 44 U.S.C.
3506(c)(2)(A), and its implementing regulations, 5 CFR part 1320, the
following information concerning the collection of information as it
relates to the new CIP requirements for covered PPSIs is presented to
assist those persons wishing to comment on the information collections.
1. Description of Affected Financial Institutions and OMB Control
Numbers
OMB Control Number(s): [1506-XXXX].
Description of Affected Entities: Only those covered financial
institutions defined in section 31 CFR 1010.100(t)(11) (i.e., PPSIs)
would be affected.
Estimated Number of Respondents: 50 PPSIs.
FinCEN estimates an average annual population of approximately 50
PPSIs in the first three years, comprised of approximately 20 non-IDI
subsidiary PPSIs and 30 IDI-subsidiary PPSIs.\209\ FinCEN expects these
entities to each have an average of 1,000 customers, with an average of
650 new customers annually.\210\
---------------------------------------------------------------------------
\209\ See supra section VIII.A.2.ii.a.
\210\ See supra section VIII.A.2.ii.b.
---------------------------------------------------------------------------
As this is a developing market, FinCEN and the Agencies acknowledge
significant uncertainty regarding the number of potential PPSIs.
However, as discussed earlier, FinCEN and the Agencies estimate that
IDI-subsidiary PPSIs would have reduced CIP-related expenses due to
their position within a parent's existing CIP program.
2. Estimated Annual Burden Hours
As described in section VIII.A.4.ii.a, each PPSI is expected to
incur recordkeeping burdens associated with the proposed CIP
obligations. FinCEN and the Agencies have identified five main cost
categories associated with the various incremental recurring costs
expected to be incurred by PPSIs to comply with CIP requirements. These
cost categories are: (1) establishing and maintaining a written CIP;
(2) obtaining and verifying customer identification information, (3)
recordkeeping; (4) consulting government lists, and (5) customer
notification.
i. Establishing and Maintaining a Written CIP
PPSIs subject to this rule would have to establish a CIP in
accordance with the proposed rule. FinCEN estimates the average cost
for a PPSI to establish and maintain a written CIP as described in
section VIII.A.4.ii.a.1 to be between approximately 20 to 30 hours per
firm (with an average of 25 hours per firm) in the first year for non-
IDI subsidiary PPSIs, and about ten to 15 hours per firm (with an
average of approximately 12 hours per firm) in the first year for IDI-
subsidiary PPSIs. For both PPSI types, the average burden of these
activities is expected to decrease to approximately ten hours per PPSI,
irrespective of type, in each subsequent year. This activity would
involve tasks such as reviewing the requirements of the rule,
establishing and documenting the program, and updating the CIP when
necessary.
ii. Obtaining and Verifying Customer Identification Information
The proposed rule would require PPSIs to collect and verify certain
information from each customer.\211\ Because the proposal exempts
existing primary market customers from information collection
requirements, the agencies estimate information collection costs for
primary market customers opening new accounts. FinCEN and the Agencies
estimate this cost on a per-customer basis.
---------------------------------------------------------------------------
\211\ See supra section V.B.2.
---------------------------------------------------------------------------
FinCEN estimates a range of costs for customer identification
information collection and verification--most of which would be from
legal entities.\212\ FinCEN estimates that small issuers would require
an average of one hour to correspond with each new customer and collect
the required information, while larger issuers would require only ten
minutes (0.17 hours) per new customer, owing to more volume and
onboarding automation. Thus, FinCEN uses an average of 35 minutes (0.58
hours) per new customer for non-IDI subsidiary PPSIs. For PPSI entities
affiliated with insured depository institutions, FinCEN and the
Agencies estimate more streamlined information collection processes
associated with the existing CIP program of the parent. For this
reason, FinCEN estimates an average time to correspond with each new
customer and collect the required information ranging from ten minutes
for most banks to 20 minutes for some smaller banks. FinCEN uses an
average of 15 minutes (0.25 hours) per new customer.
---------------------------------------------------------------------------
\212\ See supra section VIII.A.2.ii.b.
---------------------------------------------------------------------------
iii. Recordkeeping
The proposed rule would require certain records to be retained for
a five-year period following the creation of the record \213\ and
others to be retained for five years following an account closure.\214\
To allocate burden to these obligations, FinCEN PRA estimates allow for
non-labor, technology costs that include an annual $100 baseline cost
for each PPSI and a per-record cost of $0.10 associated with storing
new customer records in accordance with
[[Page 37267]]
similar estimates in prior rulemakings.\215\
---------------------------------------------------------------------------
\213\ See supra note 168.
\214\ See supra note 169.
\215\ See, e.g., FinCEN, Agency Information Collection
Activities; Proposed Renewal; Comment Request; Renewal Without
Change on Information Sharing Between Government Agencies and
Financial Institutions, 90 FR 47125 (Sept. 30, 2025).
---------------------------------------------------------------------------
iv. Comparison With Government Lists
The proposed rule would require a PPSI's CIP to include reasonable
procedures for determining whether a customer appears on any list of
known or suspected terrorists or terrorist organizations issued by any
Federal government agency and designated as such by Treasury in
consultation with the Federal payment stablecoin regulators. While such
a list has not yet been issued, a nominal one-hour burden in the PRA
section is assigned to this requirement to account for the possible
future issuance of such lists.
v. Customer Notification
The proposed rule would require a PPSI's CIP to include procedures
for providing its customers with adequate notice that the issuer is
requesting information to verify their identities. Because the notice
is a standardized disclosure included with all applications, FinCEN
does not anticipate a per-customer burden, but rather a one-time
upfront cost to add the notice to application materials. FinCEN also
assigns a nominal average one-hour ongoing annual burden to review and
update the notice if necessary.\216\
---------------------------------------------------------------------------
\216\ FinCEN and the Agencies request comment on whether PPSIs
would likely incur an annual recordkeeping burden associated with
the proposed customer notification requirement, or whether the
recordkeeping burden is largely incurred when the notification is
initially drafted.
---------------------------------------------------------------------------
vi. Summary of Annual Burden Hours
Tables 7 and 8 present the estimated average annual burden hours
per respondent and the aggregate average annual burden hours for all
affected PPSIs in year one and in subsequent years, respectively.\217\
FinCEN estimates a three-year average annual burden of 264 hours per
PPSI and a three-year average annual burden of 13,178 hours for all 50
PPSIs.\218\
---------------------------------------------------------------------------
\217\ Hourly burden figures presented in Table 7 and Table 8 are
rounded to the nearest hundredth of an hour for presentation
purposes. Total burden figures are produced using unrounded figures
for accuracy.
\218\ FinCEN and the Agencies note that because, in its approach
to calculating expected time burdens, different burden estimates
apply to PPSIs of various (1) types (e.g., whether a PPSI is a
subsidiary of an insured depository institution or not) and (2)
sizes, average values may not meaningfully represent the economic
burden that any single, particular PPSI may expect to incur.
Table 7--Year-1 Burden Hour Estimates
----------------------------------------------------------------------------------------------------------------
Total
Recordkeeping burden attributed to Hours per Number of Hours per Number of burden
response responses respondent respondents hours
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining a written CIP 25 1 25 20 500
(non-IDI subsidiary PPSIs)................
Establishing and maintaining a written CIP 12 1 12 30 360
(IDI-subsidiary PPSIs)....................
Obtaining/verifying customer identification 0.58 650 379 20 7,583
information (non-IDI subsidiary PPSIs)....
Obtaining/verifying customer identification 0.25 650 162.5 30 4,875
information (IDI-subsidiary PPSIs)........
Consulting government lists................ 1 1 1 50 50
Providing notice to customers.............. 1 1 1 50 50
--------------------------------------------------------------------
Total.................................. ........... ........... .............. 50 13,418
----------------------------------------------------------------------------------------------------------------
Table 8--Years 2+ Burden Hour Estimates
----------------------------------------------------------------------------------------------------------------
Total
Recordkeeping burden attributed to Hours per Number of Hours per Number of burden
response responses respondent respondents hours
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining a written CIP. 10 1 10 50 500
Obtaining/verifying customer identification 0.58 650 379 20 7,583
information (non-IDI subsidiary PPSIs)....
Obtaining/verifying customer identification 0.25 650 163 30 4,875
information (IDI-subsidiary PPSIs)........
Consulting government lists................ 1 1 1 50 50
Providing notice to customers.............. 1 1 1 50 50
--------------------------------------------------------------------
Total.................................. ........... ........... .............. 50 13,058
----------------------------------------------------------------------------------------------------------------
3. Estimated Annual Total Costs
Tables 9 and 10 present the average annual cost per respondent and
total annual cost for all affected PPSIs for year one and years two and
three, respectively. FinCEN estimates an average annual labor cost of
$32,835 per PPSI and an aggregate annual labor cost of $1.64 million.
FinCEN additionally estimates an average annual non-labor cost of $165
per PPSI and an aggregate annual non-labor cost of $8,250 to account
for storage and technology costs. In total, FinCEN and the Agencies
estimate an average annual of $33,000 per PPSI \219\ and an aggregate
annual cost of $1.65 million.
---------------------------------------------------------------------------
\219\ FinCEN notes again, that due to heterogeneity across the
PPSI population, average costs may not meaningfully represent the
economic burden that any single, particular PPSI may expect to
incur.
[[Page 37268]]
Table 9--Total Estimated Cost in Year 1
----------------------------------------------------------------------------------------------------------------
Total
Recordkeeping burden attributed to Hours per Cost per burden Total cost
respondent respondent hours
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining a written CIP (non-IDI subsidiary 25 $3,115 500 $62,290
PPSIs).......................................................
Establishing and maintaining a written CIP (IDI-subsidiary 12 1,495 360 44,849
PPSIs).......................................................
Obtaining/verifying customer identification information (non- 379 47,237 7,583 944,732
IDI subsidiary PPSIs)........................................
Obtaining/verifying customer identification information (IDI- 163 20,244 4,875 607,328
subsidiary PPSIs)............................................
Recordkeeping (Technology).................................... ........... 165 ......... 8,250
Consulting government lists................................... 1 125 50 6,229
Providing notice to customers................................. 1 125 50 6,229
-------------------------------------------------
Total..................................................... ........... ........... ......... 1,679,906
----------------------------------------------------------------------------------------------------------------
Table 10--Total Estimated Annual Cost in Years 2+
----------------------------------------------------------------------------------------------------------------
Total
Recordkeeping burden attributed to Hours per Cost per burden Total cost
respondent respondent hours
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining a written CIP.................... 10 $1,246 500 $62,290
Obtaining/verifying customer identification information (non- 379 47,237 7,583 944,732
IDI subsidiary PPSIs)........................................
Obtaining/verifying customer identification information by 163 20,244 4,875 607,328
(IDI-subsidiary PPSIs).......................................
Recordkeeping (Technology).................................... ........... 165 ......... 8,250
Consulting government lists................................... 1 125 50 6,229
Providing notice to customers................................. 1 125 50 6,229
-------------------------------------------------
Total..................................................... ........... ........... ......... 1,635,057
----------------------------------------------------------------------------------------------------------------
4. Aggregate Burden and Cost Estimates
Estimated Number of Respondents: 50 PPSIs.
Estimated Aggregate Three-Year Average Annual Recordkeeping Burden:
Approximately 13,178 hours.
Estimated Aggregate Three-Year Average Annual Recordkeeping Cost:
Approximately $1,650,007.
5. General Request for Comments Under the Paperwork Reduction Act
FinCEN and the Agencies invite comments on: (1) whether the
collection of information is necessary for the proper performance of
the mission of FinCEN, including whether the information would have
practical utility; (2) the accuracy of FinCEN's estimate of the burden
of the proposed collection of information; (3) ways to enhance the
quality, utility, and clarity of the information required to be
maintained; (4) ways to minimize the burden of the collection of
information, including through the use of automated collection
techniques or other forms of information technology; and (5) estimates
of capital or start-up costs and costs of operation, maintenance, and
purchase of services required to report the information.
F. Riegle Community Development and Regulatory Improvement Act
Pursuant to section 302(a) of the Riegle Community Development and
Regulatory Improvement Act of 1994 (RCDRIA), in determining the
effective date and administrative compliance requirements for new
regulations that impose additional reporting, disclosure, or other
requirements on IDIs, each Federal banking agency must consider,
consistent with principles of safety and soundness and the public
interest, any administrative burdens that such regulations would place
on affected depository institutions, including small depository
institutions, and customers of depository institutions, as well as the
benefits of such regulations.\220\ In addition, section 302(b) of the
RCDRIA requires new regulations and amendments to regulations that
impose additional reporting, disclosures, or other new requirements on
insured depository institutions generally to take effect on the first
day of a calendar quarter that begins on or after the date on which the
regulations are published in final form.\221\ The Agencies invite
comments to further inform their consideration of the RCDRIA.
---------------------------------------------------------------------------
\220\ 12 U.S.C. 4802(a).
\221\ 12 U.S.C. 4802(b).
---------------------------------------------------------------------------
G. Plain Language
Section 722 of the Gramm-Leach-Bliley Act \222\ requires the
Federal banking agencies to use plain language in all proposed and
final rulemakings published in the Federal Register after January 1,
2000. The agencies invite your comments on how to make this proposed
rule easier to understand. For example:
---------------------------------------------------------------------------
\222\ 12 U.S.C. 4809.
---------------------------------------------------------------------------
Have the agencies organized the material to suit your
needs? If not, how could the proposed rule be more clearly stated?
Are the requirements in the proposed rule clearly stated?
If not, how could the proposed rule be more clearly stated?
Does the proposed rule contain language or jargon that is
not clear? If so, which language requires clarification?
Would a different format (grouping and order of sections,
use of headings, paragraphing) make the proposed rule easier to
understand? If so, what changes to the format would make the proposed
rule easier to understand?
What else could the agencies do to make the proposed rule
easier to understand?
H. Providing Accountability Through Transparency Act of 2023
The Providing Accountability Through Transparency Act of 2023
requires that a notice of proposed rulemaking include the internet
address of a summary of not more than 100 words in length of a proposed
rule, in plain language, that shall be posted on the internet website
under section 206(d) of the E-Government Act of 2002.\223\
---------------------------------------------------------------------------
\223\ 5 U.S.C. 553(b)(4).
---------------------------------------------------------------------------
[[Page 37269]]
The proposal and the required summary can be found at
www.regulations.gov by searching for Docket IDs FINCEN-2026-0101, OCC-
2026-0331 or NCUA-2026-0793 or https://www.fdic.gov/federal-register-publications.
I. Additional Requests for Comment
1. Are FinCEN and the Agencies' baseline estimates of the number of
market participants accurate? Are there specific sources of data that
would suggest any of these population estimates should be revised?
Please provide data, studies, or anecdotal evidence that would support
any suggested alternatives.
2. Are there other distinct, identifiable subpopulations of the
general public that could reasonably be directly affected by the
proposed rule and should have been considered in the RIA? Please
provide data, studies, or reports that would enhance FinCEN and the
Agencies' ability to identify and quantify such effects.
3. FinCEN and the Agencies assume that a number of depository
institutions would have affiliates or subsidiaries that seek PPSI
status and that other PPSIs would not be subsidiaries of insured
depository institutions. How likely are issuers or potential issuers to
seek PPSI status as a subsidiary of an insured depository institution
versus seeking PPSI status not as a subsidiary of an insured depository
institution?
4. FinCEN and the Agencies made certain assumptions, based on data,
about the number of primary customers that a typical PPSI would have.
How many primary market customers does a typical issuer of payment
stablecoin-type products interact with? What costs do issuers face in
collecting customer information from these entities? How many are these
customers are new to the issuer on an annual basis?
5. Is it likely that any of the 14,575 financial institutions
listed in Table 2 would be relied upon by PPSIs for some aspect of
their CIP compliance? Please provide data, studies, reports, or
anecdotal evidence that would enhance FinCEN and the Agencies' ability
to identify and quantify the effects of such reliance.
6. To what extent should the economic impact on state regulatory
agencies be considered in the RIA? Please provide data, studies, or
reports that would support the identification enhance FinCEN's ability
to identify and quantify such effects.
7. Is FinCEN and the Agencies' analysis of the average costs for
each component of the CIP as outlined in section VIII.A.4.ii.a
reasonable reflection of the cost faced by issuers of products that may
be considered payment stablecoins? If not, are there specific sources
of empirical evidence or data that would suggest these burden estimates
should be revised? Are there any additional cost categories related to
establishing and maintaining a CIP that FinCEN and the Agencies have
failed to consider? Please provide data, studies, or anecdotal evidence
that would support any suggested revisions.
8. What types and share of PPSIs would likely already have CIPs
established and would therefore not incur the full costs associated
with establishing and maintaining a CIP? Are there certain CIPs or
customer identification practices implemented by stablecoin issuers
that this analysis should take into account? Please provide data,
studies, or reports that would enhance FinCEN and the Agencies' ability
to identify this population.
9. Is it reasonable to assume that PPSIs would already have
measures in place to form a reasonable belief that they know the true
identities of their existing customers and therefore would not need to
obtain and verify customer identification information for any of their
existing primary market customers in the first year once the rule would
become effective? If not, what share of PPSIs would need to obtain and
verify customer identification for all or a portion of their existing
customers? Are there specific sources of empirical evidence or data
that would suggest this assumption should be revised? Please provide
data, studies, or anecdotal evidence that would support the suggested
alternative assumption.
10. FinCEN and the Agencies request comment on the alternative
policy options presented in section VIII.A.5 and their economic effect.
11. FinCEN utilized a threshold of less than $200 million in total
reserve assets to define a small payment stablecoin issuer. How
appropriate is this threshold? Similarly, is five percent of total
reserve assets a good estimation of these firms' revenue?
12. The RIA in this NPRM does not include a forecasted population
of potential future SQPSIs due to limitations in data availability.
Please provide data, studies, or anecdotal evidence that would enable
analysis of the potential effects of the proposed requirements on
SQPSIs, generally, and small SQPSIs in particular.
13. The FDIC, Board, NCUA, and OCC invite comments on all aspects
of the supporting information provided in sections VIII.C.2-5,
particularly related to any significant effects on small entities that
the agency has not identified.
14. The economic expectation that the proposed rule may have a
significant economic impact on a substantial number of certain types of
potentially affected small entities is sensitive to key assumptions
about how potentially affected financial institutions would respond to
the proposed requirements. FinCEN and the Agencies request comment on
whether it would instead be more reasonable to certify that the
proposed rule would not have a significant economic impact on a
substantial number of small entities.
15. FinCEN and the Agencies do not anticipate that the proposed
rule would result in novel incremental aggregate expenditures by State,
local, or Tribal governments, or by the private sector of $193 million
or more in any one year. Is this assumption reasonable? If not, what
studies, data, or anecdotal evidence should be taken into consideration
that would update this expectation?
16. Would PPSIs incur ongoing recordkeeping burdens associated with
the proposed customer notification requirement? Or is the recordkeeping
burden largely incurred when the notification is initially drafted? If
it is an ongoing burden, what is the average amount of time spent on
the recordkeeping activity per year?
J. NCUA Analysis on Executive Order 13132 on Federalism
Executive Order 13132 encourages certain regulatory agencies to
consider the impact of their actions on state and local interests. The
NCUA, an agency as defined in 44 U.S.C. 3502(5), complies with the
executive order to adhere to fundamental federalism principles. This
proposed rule would apply to PPSIs. This scope is set by statute. The
NCUA works cooperatively with state regulatory agencies on all
supervisory matters, including AML/CFT matters, and will continue to do
so. The NCUA expects that any effect on states or on the distribution
of power and responsibilities among the various levels of government
will be minor. The NCUA welcomes comments on ways to eliminate, or at
least minimize, any potential impact in this area.
K. NCUA Assessment of Federal Regulations and Policies on Families
The NCUA has determined that this proposed rule would not affect
family well-being within the meaning of section 654 of the Treasury and
General Government Appropriations Act,
[[Page 37270]]
1999.\224\ The proposed rule relates to PPSIs, and any effect on family
well-being is expected to be indirect.
---------------------------------------------------------------------------
\224\ Public Law 105-277, section 654, 112 Stat. 2681, 2681-528
(1998).
---------------------------------------------------------------------------
List of Subjects in 31 CFR Part 1033
Administrative practice and procedure, Banks, banking, Business and
industry, Electronic filing, Foreign persons, Investigations, Law
enforcement, Reporting and recordkeeping requirements, Terrorism.
For the reason set forth in the preamble, FinCEN and the OCC,
Board, FDIC, and NCUA propose that FinCEN amend 31 CFR part 1033, as
proposed to be added at 91 FR 18582 (April 10, 2026), as follows:
PART 1033--RULES FOR PERMITTED PAYMENT STABLECOIN ISSUERS
0
1. The authority citation for part 1033 continues to read as follows:
Authority: 12 U.S.C. 1829b, 1951-1959, and 5901-5916; 31 U.S.C.
5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115
Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
2. In Sec. 1033.100, add paragraphs (a) through (c) to read as
follows:
Sec. 1033.100 Definitions.
* * * * *
(a) Account. For the purposes of Sec. 1033.220:
(1) Account means a formal relationship between a customer and a
permitted payment stablecoin issuer established to provide or engage in
services, dealings, or other financial transactions including but not
limited to--
(i) Issuing or redeeming a payment stablecoin;
(ii) Managing related reserves, including purchasing, selling, and
holding reserve assets or providing custodial services for reserve
assets;
(iii) Providing custodial or safekeeping services for payment
stablecoins, required reserves, or private keys of payment stablecoins;
(iv) Other activities that directly support activities in
paragraphs (a)(1)(i) through (iii) of this section; or
(v) Providing services of a digital asset service provider.
(2) Account does not include:
(i) A product or service where a formal relationship is not
established with a person, such as payment stablecoin activity that
does not directly involve the permitted payment stablecoin issuer as a
party to the transaction other than via a smart contract;
(ii) An account that the permitted payment stablecoin issuer
acquires through an acquisition, merger, purchase of assets, or
assumption of liabilities from a financial institution regulated by a
Federal functional regulator or a bank regulated by a State bank
regulator;
(iii) An account opened for the purpose of participating in an
employee benefit plan established under the Employee Retirement Income
Security Act of 1974; or
(iv) Ownership or control of a permitted payment stablecoin
issuer's payment stablecoins alone, without other indicators of a
formal relationship.
(b) Customer. For the purposes of Sec. 1033.220:
(1) Customer means:
(i) A person that opens a new account; and
(ii) An individual who opens a new account for:
(A) An individual who lacks legal capacity, such as a minor; or
(B) An entity that is not a legal person, such as a civic club.
(2) Customer does not include:
(i) A financial institution regulated by a Federal functional
regulator or a bank regulated by a State bank regulator;
(ii) A person described in 31 CFR 1020.315(b)(2) through (4);
(iii) A person that has an existing account with the permitted
payment stablecoin issuer, provided the permitted payment stablecoin
issuer has a reasonable belief that it knows the true identity of the
person; or
(iv) A person acquiring or redeeming a payment stablecoin from a
means other than directly from or directly to the permitted payment
stablecoin issuer.
(c) Digital asset service provider. For the purposes of Sec.
1033.220:
(1) Digital asset service provider means an individual,
partnership, company, corporation, association, trust, estate,
cooperative organization, or other business entity, incorporated or
unincorporated that, for compensation or profit, engages in business in
the United States (including on behalf of customers or users in the
United States) of:
(i) Exchanging digital assets for monetary value, meaning a
national currency or deposit denominated in a national currency;
(ii) Exchanging digital assets for other digital assets;
(iii) Transferring digital assets to a third party;
(iv) Acting as a digital asset custodian; or
(v) Participating in financial services relating to digital asset
issuance.
(2) Digital asset service provider does not include:
(i) A distributed ledger protocol,
(ii) Developing, operating, or engaging in the business of
developing distributed ledger protocols or self-custodial software
interfaces;
(iii) An immutable and self-custodial software interface;
(iv) Developing, operating, or engaging in the business of
validating transactions or operating a distributed ledger; or
(v) Participating in a liquidity pool or other similar mechanism
for the provisioning of liquidity for peer-to-peer transactions.
(3) For purposes of this paragraph (c), the term distributed ledger
protocol means a publicly available and accessible executable software
deployed to a distributed ledger, including smart contracts or networks
of smart contracts.
0
3. Add Sec. 1033.220 to read as follows:
Sec. 1033.220 Customer identification programs for permitted payment
stablecoin issuers.
(a) Customer identification program: minimum requirements--(1) In
general. A permitted payment stablecoin issuer must establish and
maintain a written Customer Identification Program (CIP) appropriate
for its size and business that, at a minimum, includes each of the
requirements of paragraphs (a)(1) through (5) of this section. The CIP
must be a part of the permitted payment stablecoin issuer's anti-money
laundering (AML)/countering the financing of terrorism (CFT) program.
(2) Identity verification procedures. The CIP must include risk-
based procedures for verifying the identity of each customer to the
extent reasonable and practicable. The procedures must enable the
permitted payment stablecoin issuer to form a reasonable belief that it
knows the true identity of each customer. The procedures must be based
on the permitted payment stablecoin issuer's assessment of the relevant
risks, including those presented by the various types of accounts
maintained by the permitted payment stablecoin issuer, the various
methods of opening accounts provided by the permitted payment
stablecoin issuer, the various types of identifying information
available and the permitted payment stablecoin issuer's size, location,
and customer base. At a minimum, these procedures must contain the
elements described in this paragraph (a)(2).
(i) Customer information required--(A) In general. The CIP must
contain procedures for opening an account that specify the identifying
information that
[[Page 37271]]
will be obtained with respect to each customer. Except as permitted by
paragraph (a)(2)(i)(B) of this section, the permitted payment
stablecoin issuer must obtain, at a minimum, the following information
from the customer prior to opening an account:
(1) Name;
(2) Date of birth, for an individual; or date of formation, for a
person that is not an individual;
(3) Address, which shall be:
(i) For an individual, a residential or business street address;
(ii) For an individual who does not have a residential or business
street address, an Army Post Office (APO) or Fleet Post Office (FPO)
box number, of the residential or business street address of a next of
kin or of another contact individual; or
(iii) For a person other than an individual (such as a corporation,
partnership, or trust), a principal place of business, local office, or
other physical location; and
(4) Identification number, which shall be:
(i) For a U.S. person, a taxpayer identification number; or
(ii) For a non-U.S. person, one or more of the following: a
taxpayer identification number; passport number and country of
issuance; alien identification card number; or number and country of
issuance of any other government-issued document evidencing nationality
or residence and bearing a photograph or similar safeguard; or
(iii) For a non-U.S. person that is not an individual and that does
not have an identification number, the permitted payment stablecoin
issuer must request alternative government-issued documentation
certifying the existence of the person.
(B) Exception for persons applying for a taxpayer identification
number. Instead of obtaining a taxpayer identification number from a
customer prior to opening an account, the CIP may include procedures
for opening an account for a person that has applied for, but has not
received, a taxpayer identification number. In this case, the CIP must
include procedures to confirm that the application was filed before the
person opens the account and to obtain the taxpayer identification
number within a reasonable period of time after the account is opened.
(ii) Customer verification. The CIP must contain procedures for
verifying the identity of each customer, using information obtained in
accordance with paragraph (a)(2)(i) of this section, within a
reasonable time before or after the customer's account is opened. The
procedures must describe when the permitted payment stablecoin issuer
will use documents, non-documentary methods, or a combination of both
methods, as described in this paragraph (a)(2)(ii).
(A) Verification through documents. For a permitted payment
stablecoin issuer relying on documents, the CIP must contain procedures
that set forth the documents the permitted payment stablecoin issuer
will use. These documents may include:
(1) For an individual, an unexpired government-issued
identification evidencing nationality or residence and bearing a
photograph or similar safeguard, such as a driver's license or
passport; and
(2) For a person other than an individual (such as a corporation,
partnership, or trust), documents and any amendments thereto showing
the existence of the entity, such as certified articles of
incorporation, a government-issued business license, a partnership
agreement, or a trust instrument.
(B) Verification through non-documentary methods. For a permitted
payment stablecoin issuer relying on non-documentary methods, the CIP
must contain procedures that set forth the non-documentary methods the
permitted payment stablecoin issuer will use.
(1) These methods may include contacting a customer; independently
verifying the customer's identity through the comparison of information
provided with respect to the customer with information obtained from a
consumer reporting agency, public database, or other source; checking
references with other financial institutions; or obtaining a financial
statement.
(2) The permitted payment stablecoin issuer's non-documentary
procedures must address situations where an individual is unable to
present an unexpired government-issued identification document that
bears a photograph or similar safeguard; the permitted payment
stablecoin issuer is not familiar with the documents presented; the
account is opened without obtaining documents; the customer opens the
account without meeting in person; and the permitted payment stablecoin
issuer is otherwise presented with circumstances that increase the risk
that the permitted payment stablecoin issuer will be unable to verify
the true identity of a customer through documents.
(C) Additional verification for certain customers. The CIP must
address situations where, based on the permitted payment stablecoin
issuer's risk assessment of a new account opened by a customer that is
not an individual, the permitted payment stablecoin issuer will obtain
information about individuals with authority or control over such
account in order to verify the customer's identity. This verification
method applies only when the permitted payment stablecoin issuer cannot
verify the true identity of a customer that is not an individual using
the verification methods described in paragraphs (a)(2)(ii)(A) and (B)
of this section.
(iii) Lack of verification. The CIP must include procedures for
responding to circumstances in which the permitted payment stablecoin
issuer cannot form a reasonable belief that it knows the true identity
of a customer. These procedures should describe:
(A) When the permitted payment stablecoin issuer should not open an
account;
(B) The terms under which a customer may use an account while the
permitted payment stablecoin issuer attempts to verify the customer's
identity;
(C) When the permitted payment stablecoin issuer should close an
account after attempts to verify a customer's identity fail; and
(D) When the permitted payment stablecoin issuer should file a
Suspicious Activity Report in accordance with applicable law and
regulation.
(3) Recordkeeping. The CIP must include procedures for making and
maintaining a record of all information obtained under procedures
implementing this paragraph (a).
(i) Required records. At a minimum, the record must include:
(A) All identifying information about a customer obtained under
paragraph (a)(2)(i) of this section;
(B) A description of any document that was relied on under
paragraph (a)(2)(ii)(A) of this section, noting the type of document,
any identification number contained in the document, the place of
issuance, and if any, the date of issuance and expiration date;
(C) A description of the methods and results of any measures
undertaken to verify the identity of a customer under paragraphs
(a)(2)(ii)(B) and (C) of this section; and
(D) A description of the resolution of each substantive discrepancy
discovered when verifying the identifying information obtained.
(ii) Retention of records. The permitted payment stablecoin issuer
must retain the records made under paragraph (a)(3)(i)(A) of this
section for five years after the date the account is closed and the
records made under
[[Page 37272]]
paragraphs (a)(3)(i)(B) through (D) of this section for five years
after the record is made.
(4) Comparison with Government lists. The CIP must include
reasonable procedures for determining whether a customer appears on any
list of known or suspected terrorists or terrorist organizations issued
by any Federal Government agency and designated as such by Treasury in
consultation with the primary Federal payment stablecoin regulators.
The procedures must require the permitted payment stablecoin issuer to
make such a determination within a reasonable period of time after the
account is opened, or earlier if required by another Federal law or
regulation or Federal directive issued in connection with the
applicable list. The procedures must also require the permitted payment
stablecoin issuer to follow all Federal directives issued in connection
with such lists.
(5) Notice--(i) Customer notice. The CIP must include procedures
for providing customers with adequate notice that the permitted payment
stablecoin issuer is requesting information to verify their identities.
(ii) Adequate notice. Notice is adequate if the permitted payment
stablecoin issuer generally describes the identification requirements
of this section and provides such notice in a manner reasonably
designed to ensure that a prospective customer is able to view the
notice, or is otherwise given notice, before opening an account. For
example, depending upon the manner in which the account is opened, a
permitted payment stablecoin issuer may post a notice on its website,
include the notice in its account applications, or use any other form
of oral or written notice.
(iii) Sample notice. If appropriate, a permitted payment stablecoin
issuer may use the following sample language to provide notice to its
customers:
IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT
To help the government fight the funding of terrorism and money
laundering activities, Federal law requires all financial
institutions to obtain, verify, and record information that
identifies each natural or legal person who opens an account, which
may be an individual or a person other than an individual (such as a
corporation, partnership, or trust).
What this means for you: When you open an account, we will ask
for the name, address, date of birth or formation, tax
identification number, and other information pertaining to the
accountholder. This information will help us verify the identity of
the accountholder. We may also ask to see identifying documents
pertaining to the accountholder, such as a driver's license (if you
are an individual) or a business license, articles of incorporation,
or trust instrument (if the accountholder is not an individual).
(6) Reliance on another financial institution. The CIP may include
procedures specifying when the permitted payment stablecoin issuer will
rely on the performance by another financial institution (including an
affiliate) of any procedures of the permitted payment stablecoin
issuer's CIP, with respect to any customer of the permitted payment
stablecoin issuer that is opening, or has opened, an account or has
established an account or similar business relationship with the other
financial institution to provide or engage in services, dealings, or
other financial transactions, provided that:
(i) Such reliance is reasonable under the circumstances;
(ii) The other financial institution is subject to a rule
implementing 31 U.S.C. 5318(h) or 12 U.S.C. 5903(a)(5)(A) and is
regulated by a Federal functional regulator; and
(iii) The other financial institution enters into a contract with
the permitted payment stablecoin issuer requiring it to certify
annually to the permitted payment stablecoin issuer that it has
implemented its AML/CFT program, and that it will perform (or its agent
will perform) specified requirements of the permitted payment
stablecoin issuer's CIP.
(b) Exemptions. The appropriate Federal functional regulator, with
the concurrence of the Secretary, may, by order or regulation, exempt
any permitted payment stablecoin issuer or any type of account from the
requirements of this section. The Secretary, with the concurrence of
the Federal functional regulator, may exempt any permitted payment
stablecoin issuer or any type of account from the requirements of this
section. In issuing such exemptions, the Federal functional regulator
and the Secretary shall consider whether the exemption is consistent
with the purposes of the Bank Secrecy Act and with safety and
soundness, in the public interest, and may consider other necessary and
appropriate factors.
(c) Other requirements unaffected. Nothing in this section relieves
a permitted payment stablecoin issuer of its obligation to comply with
any other provision of this chapter, including provisions concerning
information that must be obtained, verified, or maintained in
connection with any account or transaction, or its obligations with
respect to complying with the terms of any lawful order as set forth in
this chapter.
Andrea M. Gacki,
Director, Financial Crimes Enforcement Network.
Jointly issued by:
Office of the Comptroller of the Currency.
Jonathan V. Gould,
Comptroller of the Currency.
By order of the Board of Governors of the Federal Reserve
System.
Benjamin McDonough,
Secretary of the Board.
Federal Deposit Insurance Corporation.
By order of the Board of Directors.
Dated at Washington, DC, on May 13, 2026.
Jennifer M. Jones,
Deputy Executive Secretary.
By the National Credit Union Administration Board, this 12th day
of May 2026.
Melane Conyers-Ausbrooks,
Secretary of the Board.
[FR Doc. 2026-12460 Filed 6-18-26; 8:45 am]
BILLING CODE 4810-02-P